IM
IronMonkey Threat Research

CVE-2026-31665 HIGH

Published: 2026-04-24 | Last Modified: 2026-07-14 | Status: Modified

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: fix use-after-free in timeout object destroy nft_ct_timeout_obj_destroy() frees the timeout object with kfree() immediately after nf_ct_untimeout(), without waiting for an RCU grace period. Concurrent packet processing on other CPUs may still hold RCU-protected references to the timeout object obtained via rcu_dereference() in nf_ct_timeout_data(). Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer freeing until after an RCU grace period, matching the approach already used in nfnetlink_cttimeout.c. KASAN report: BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0 Read of size 4 at addr ffff8881035fe19c by task exploit/80 Call Trace: nf_conntrack_tcp_packet+0x1381/0x29d0 nf_conntrack_in+0x612/0x8b0 nf_hook_slow+0x70/0x100 __ip_local_out+0x1b2/0x210 tcp_sendmsg_locked+0x722/0x1580 __sys_sendto+0x2d8/0x320 Allocated by task 75: nft_ct_timeout_obj_init+0xf6/0x290 nft_obj_init+0x107/0x1b0 nf_tables_newobj+0x680/0x9c0 nfnetlink_rcv_batch+0xc29/0xe00 Freed by task 26: nft_obj_destroy+0x3f/0xa0 nf_tables_trans_destroy_work+0x51c/0x5c0 process_one_work+0x2c4/0x5a0

CVSS Metrics

Base Score: 7.8 (HIGH)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorLOCAL
Attack ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactHIGH
Integrity ImpactHIGH
Availability ImpactHIGH

Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Type: Secondary

Exploitability Score: 1.8

Impact Score: 5.9

Weaknesses

Source Type Description
[email protected] Primary
en CWE-416

Affected Products

Vendor Product Version Update Type
linux linux_kernel * <built-in method update of dict object at 0x702bdc9f4300> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd6a7dc0> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdc9f4500> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd9be2c0> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdc9f5ac0> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdc9f6e40> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd9be680> Operating System
linux linux_kernel 4.19 <built-in method update of dict object at 0x702bdd9bf200> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bdd9bf680> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bdc9f4e40> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bdd6a6b40> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bdd9bd0c0> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bdc9f4700> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bdd9bef80> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702bdd6a5d00> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:4.19:-:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

References

Notification
Message here