HOMEVULNERABILITIESCVE-2026-23231
NONEPOC

CVE-2026-23231

Published: March 4, 2026· Updated: Mar 4, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:6.3th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: fix use-after-free in nf_tables_addchain()

nf_tables_addchain() publishes the chain to table->chains via

list_add_tail_rcu() (in nft_chain_add()) before registering hooks.

If nf_tables_register_hook() then fails, the error path calls

nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()

with no RCU grace period in between.

This creates two use-after-free conditions:

1) Control-plane: nf_tables_dump_chains() traverses table->chains

under rcu_read_lock(). A concurrent dump can still be walking

the chain when the error path frees it.

2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly

installs the IPv4 hook before IPv6 registration fails. Packets

entering nft_do_chain() via the transient IPv4 hook can still be

dereferencing chain->blob_gen_X when the error path frees the

chain.

Add synchronize_rcu() between nft_chain_del() and the chain destroy

so that all RCU readers -- both dump threads and in-flight packet

evaluation -- have finished before the chain is freed.

NVD Source

Technical Analysis

CVE-2026-23231 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A proof-of-concept (PoC) exploit exists for CVE-2026-23231. While not yet confirmed in active campaigns, the availability of PoC code increases exploitation risk substantially.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

POC AVAILABLEProof-of-concept code exists
External links open in a new tab. Always verify in a controlled environment before use.

All References (6)

Quick Facts

CVE IDCVE-2026-23231
SeverityNONE
CISA KEVNo
ExploitPOC
EPSS (30d)0.02%
PublishedMar 4, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23231 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.