HOMEVULNERABILITIESCVE-2026-23458
NONE

CVE-2026-23458

Published: April 3, 2026· Updated: Apr 7, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:6.6th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()

ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the

netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the

conntrack reference immediately after netlink_dump_start(). When the

dump spans multiple rounds, the second recvmsg() triggers the dump

callback which dereferences the now-freed conntrack via nfct_help(ct),

leading to a use-after-free on ct->ext.

The bug is that the netlink_dump_control has no .start or .done

callbacks to manage the conntrack reference across dump rounds. Other

dump functions in the same file (e.g. ctnetlink_get_conntrack) properly

use .start/.done callbacks for this purpose.

Fix this by adding .start and .done callbacks that hold and release the

conntrack reference for the duration of the dump, and move the

nfct_help() call after the cb->args[0] early-return check in the dump

callback to avoid dereferencing ct->ext unnecessarily.

BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0

Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133

CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY

Call Trace:

<TASK>

ctnetlink_exp_ct_dump_table+0x4f/0x2e0

netlink_dump+0x333/0x880

netlink_recvmsg+0x3e2/0x4b0

? aa_sk_perm+0x184/0x450

sock_recvmsg+0xde/0xf0

Allocated by task 133:

kmem_cache_alloc_noprof+0x134/0x440

__nf_conntrack_alloc+0xa8/0x2b0

ctnetlink_create_conntrack+0xa1/0x900

ctnetlink_new_conntrack+0x3cf/0x7d0

nfnetlink_rcv_msg+0x48e/0x510

netlink_rcv_skb+0xc9/0x1f0

nfnetlink_rcv+0xdb/0x220

netlink_unicast+0x3ec/0x590

netlink_sendmsg+0x397/0x690

__sys_sendmsg+0xf4/0x180

Freed by task 0:

slab_free_after_rcu_debug+0xad/0x1e0

rcu_core+0x5c3/0x9c0

NVD Source

Technical Analysis

CVE-2026-23458 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (6)

Quick Facts

CVE IDCVE-2026-23458
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedApr 3, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23458 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.