CVE-2026-23231

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: fix use-after-free in nf_tables_addchain()<br /> <br /> nf_tables_addchain() publishes the chain to table-&gt;chains via<br /> list_add_tail_rcu() (in nft_chain_add()) before registering hooks.<br /> If nf_tables_register_hook() then fails, the error path calls<br /> nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()<br /> with no RCU grace period in between.<br /> <br /> This creates two use-after-free conditions:<br /> <br /> 1) Control-plane: nf_tables_dump_chains() traverses table-&gt;chains<br /> under rcu_read_lock(). A concurrent dump can still be walking<br /> the chain when the error path frees it.<br /> <br /> 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly<br /> installs the IPv4 hook before IPv6 registration fails. Packets<br /> entering nft_do_chain() via the transient IPv4 hook can still be<br /> dereferencing chain-&gt;blob_gen_X when the error path frees the<br /> chain.<br /> <br /> Add synchronize_rcu() between nft_chain_del() and the chain destroy<br /> so that all RCU readers -- both dump threads and in-flight packet<br /> evaluation -- have finished before the chain is freed.