CVE-2026-23272

{"id": "CVE-2026-23272", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-03-20T09:16:12.700", "references": [{"url": "https://git.kernel.org/stable/c/6826131c7674329335ca25df2550163eb8a1fd0c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/86bc4b1a0f672d47ac19f9022432cb6a2e01cb33", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ccb8c8f3c1127cf34d18c737309897c68046bf21", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/def602e498a4f951da95c95b1b8ce8ae68aa733a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e3ccb11fc8249759d23326038c8db987ddaabc77", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unconditionally bump set->nelems before insertion\n\nIn case that the set is full, a new element gets published then removed\nwithout waiting for the RCU grace period, while RCU reader can be\nwalking over it already.\n\nTo address this issue, add the element transaction even if set is full,\nbut toggle the set_full flag to report -ENFILE so the abort path safely\nunwinds the set to its previous state.\n\nAs for element updates, decrement set->nelems to restore it.\n\nA simpler fix is to call synchronize_rcu() in the error path.\nHowever, with a large batch adding elements to already maxed-out set,\nthis could cause noticeable slowdown of such batches."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnetfilter: nf_tables: incrementar incondicionalmente set->nelems antes de la inserci\u00f3n\n\nEn caso de que el conjunto est\u00e9 lleno, se publica un nuevo elemento que luego se elimina sin esperar el per\u00edodo de gracia de RCU, mientras que un lector de RCU ya puede estar recorri\u00e9ndolo.\n\nPara abordar este problema, a\u00f1adir la transacci\u00f3n del elemento incluso si el conjunto est\u00e1 lleno, pero alternar la bandera set_full para informar -ENFILE de modo que la ruta de aborto deshaga de forma segura el conjunto a su estado anterior.\n\nEn cuanto a las actualizaciones de elementos, decrementar set->nelems para restaurarlo.\n\nUna soluci\u00f3n m\u00e1s simple es llamar a synchronize_rcu() en la ruta de error.\nSin embargo, con un gran lote a\u00f1adiendo elementos a un conjunto ya agotado, esto podr\u00eda causar una ralentizaci\u00f3n notable de dichos lotes."}], "lastModified": "2026-05-23T12:17:01.687", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EEE0D9A1-4C7E-48E7-A9AF-94665FE9075B", "versionEndExcluding": "4.10", "versionStartIncluding": "4.9.33"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EDFCFD07-2965-4650-8296-7B0C3DE7DCA3", "versionEndExcluding": "6.18.17", "versionStartIncluding": "4.10.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.10:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C201E405-86F2-4F96-984A-00A865219C86"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.10:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "09B6110F-7933-484D-AEAF-5D15FF38647E"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.10:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "75694C52-0ADF-45EC-80AC-D973535B5CB9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.10:rc8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "29F29665-6B16-4D9F-A417-D0743395DF01"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}