CVE-2026-23351

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_set_pipapo: split gc into unlink and reclaim phase<br /> <br /> Yiming Qian reports Use-after-free in the pipapo set type:<br /> Under a large number of expired elements, commit-time GC can run for a very<br /> long time in a non-preemptible context, triggering soft lockup warnings and<br /> RCU stall reports (local denial of service).<br /> <br /> We must split GC in an unlink and a reclaim phase.<br /> <br /> We cannot queue elements for freeing until pointers have been swapped.<br /> Expired elements are still exposed to both the packet path and userspace<br /> dumpers via the live copy of the data structure.<br /> <br /> call_rcu() does not protect us: dump operations or element lookups starting<br /> after call_rcu has fired can still observe the free&amp;#39;d element, unless the<br /> commit phase has made enough progress to swap the clone and live pointers<br /> before any new reader has picked up the old version.<br /> <br /> This a similar approach as done recently for the rbtree backend in commit<br /> 35f83a75529a ("netfilter: nft_set_rbtree: don&amp;#39;t gc elements on insert").