CVE-2026-23231
published 2026-03-04CVE-2026-23231: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nf_tables_addchain() nf_tables_addchain()…
PriorityP345high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
0.81%
52.4th percentile
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
nf_tables_addchain() publishes the chain to table->chains via
list_add_tail_rcu() (in nft_chain_add()) before registering hooks.
If nf_tables_register_hook() then fails, the error path calls
nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()
with no RCU grace period in between.
This creates two use-after-free conditions:
1) Control-plane: nf_tables_dump_chains() traverses table->chains
under rcu_read_lock(). A concurrent dump can still be walking
the chain when the error path frees it.
2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly
installs the IPv4 hook before IPv6 registration fails. Packets
entering nft_do_chain() via the transient IPv4 hook can still be
dereferencing chain->blob_gen_X when the error path frees the
chain.
Add synchronize_rcu() between nft_chain_del() and the chain destroy
so that all RCU readers -- both dump threads and in-flight packet
evaluation -- have finished before the chain is freed.
Affected
46 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 6.18.14-1 (forky) | linux 6.18.14-1 (forky) |
| linux | linux | — | — |
| linux | linux | >= 91c7b38dc9f0de4f7f444b796d14476bc12df7bc < 2a6586ecfa4ce1413daaafee250d2590e05f1a33 | 2a6586ecfa4ce1413daaafee250d2590e05f1a33 |
| linux | linux | >= 91c7b38dc9f0de4f7f444b796d14476bc12df7bc < 7017745068a9068904e1e7a1b170a5785647cc81 | 7017745068a9068904e1e7a1b170a5785647cc81 |
| linux | linux | >= 91c7b38dc9f0de4f7f444b796d14476bc12df7bc < f3fe58ce37926a10115ede527d59b91bcc05400a | f3fe58ce37926a10115ede527d59b91bcc05400a |
| linux | linux | >= 91c7b38dc9f0de4f7f444b796d14476bc12df7bc < dbd0af8083dd201f07c49110b2ee93710abdff28 | dbd0af8083dd201f07c49110b2ee93710abdff28 |
| linux | linux | >= 91c7b38dc9f0de4f7f444b796d14476bc12df7bc < 2f9a4ffeb763aec822f8ff3d1e82202d27d46d4b | 2f9a4ffeb763aec822f8ff3d1e82202d27d46d4b |
| linux | linux | >= 91c7b38dc9f0de4f7f444b796d14476bc12df7bc < 71e99ee20fc3f662555118cf1159443250647533 | 71e99ee20fc3f662555118cf1159443250647533 |
| linux | linux_kernel | >= 0 < 6.18.14-1 | 6.18.14-1 |
| linux | linux_kernel | >= 3.16 < 6.1.165 | 6.1.165 |
| linux | linux_kernel | >= 6.13 < 6.18.14 | 6.18.14 |
| linux | linux_kernel | >= 6.19 < 6.19.4 | 6.19.4 |
| linux | linux_kernel | >= 6.2 < 6.6.128 | 6.6.128 |
| linux | linux_kernel | >= 6.7 < 6.12.75 | 6.12.75 |
| msrc | azl3_kernel_6.6.126.1-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_kernel_5.15.200.1-1_on_cbl_mariner_2.0 | — | — |
| ubuntu | linux | — | — |
| ubuntu | linux-aws | — | — |
| ubuntu | linux-aws-6.8 | — | — |
| ubuntu | linux-aws-fips | — | — |
| ubuntu | linux-azure | — | — |
| ubuntu | linux-azure-6.17 | — | — |
| ubuntu | linux-azure-6.8 | — | — |
| ubuntu | linux-azure-fips | — | — |
| ubuntu | linux-fips | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_ubuntu9.8CRITICAL
vendor_debian7.8HIGH
vendor_msrc7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Linux Kernel up to 6.19.3 netfilter nf_tables_addchain use after free (Nessus ID 301036 / WID-SEC-2026-0614)
vuldb·2026-04-29·CVSS 7.8
CVE-2026-23231 [HIGH] Linux Kernel up to 6.19.3 netfilter nf_tables_addchain use after free (Nessus ID 301036 / WID-SEC-2026-0614)
A vulnerability marked as critical has been reported in Linux Kernel up to 6.1.164/6.6.127/6.12.74/6.18.13/6.19.3. This impacts the function nf_tables_addchain of the component netfilter. This manipulation causes use after free.
The identification of this vulnerability is CVE-2026-23231. The attack needs to be done within the local network. There is no exploit available.
It is suggested to upgrade the affected component.
GHSA
GHSA-gxm6-px42-mpjc: In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
nf_tables_addch
ghsa_unreviewed·2026-03-04
CVE-2026-23231 [HIGH] CWE-416 GHSA-gxm6-px42-mpjc: In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
nf_tables_addch
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
nf_tables_addchain() publishes the chain to table->chains via
list_add_tail_rcu() (in nft_chain_add()) before registering hooks.
If nf_tables_register_hook() then fails, the error path calls
nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()
with no RCU grace period in between.
This creates two use-after-free conditions:
1) Control-plane: nf_tables_dump_chains() traverses table->chains
under rcu_read_lock(). A concurrent dump can still be walking
the chain when the error path frees it.
2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly
installs the IPv4 hook before IPv6 registration fails. Packets
entering nft_do_chain()
OSV
CVE-2026-23231: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nf_tables_addchain() nf_tables_addchai
osv·2026-03-04·CVSS 7.8
CVE-2026-23231 [HIGH] CVE-2026-23231: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nf_tables_addchain() nf_tables_addchai
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nf_tables_addchain() nf_tables_addchain() publishes the chain to table->chains via list_add_tail_rcu() (in nft_chain_add()) before registering hooks. If nf_tables_register_hook() then fails, the error path calls nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy() with no RCU grace period in between. This creates two use-after-free conditions: 1) Control-plane: nf_tables_dump_chains() traverses table->chains under rcu_read_lock(). A concurrent dump can still be walking the chain when the error path frees it. 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly installs the IPv4 hook before IPv6 registration fails. Packets entering nft_do_chain() via
Ubuntu
Linux kernel (Azure) vulnerabilities
vendor_ubuntu·2026-06-16·CVSS 6.4
CVE-2026-23262 [MEDIUM] Linux kernel (Azure) vulnerabilities
Title: Linux kernel (Azure) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Josh Eads, Kristoffer Janke, Eduardo Vela Nava, Tavis Ormandy, and Matteo
Rizzo discovered that some AMD Zen processors did not properly verify the
signature of CPU microcode. This flaw is known as EntrySign. A privileged
attacker could possibly use this issue to cause load malicious CPU
microcode causing loss of integrity and confidentiality. (CVE-2024-36347)
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle share
Ubuntu
Linux kernel (NVIDIA Tegra) vulnerabilities
vendor_ubuntu·2026-05-19·CVSS 9.8
CVE-2026-23231 [CRITICAL] Linux kernel (NVIDIA Tegra) vulnerabilities
Title: Linux kernel (NVIDIA Tegra) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Network drivers;
- NVME drivers;
- Netfilter;
(CVE-2026-23112, CVE-2026-23231, CVE-2026-23273)
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic,
Ubuntu
Linux kernel (NVIDIA) vulnerabilities
vendor_ubuntu·2026-05-11·CVSS 9.8
CVE-2026-23231 [CRITICAL] Linux kernel (NVIDIA) vulnerabilities
Title: Linux kernel (NVIDIA) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Network drivers;
- NVME drivers;
- Netfilter;
(CVE-2026-23112, CVE-2026-23231, CVE-2026-23273)
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-05-07·CVSS 6.4
CVE-2025-71149 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Josh Eads, Kristoffer Janke, Eduardo Vela Nava, Tavis Ormandy, and Matteo
Rizzo discovered that some AMD Zen processors did not properly verify the
signature of CPU microcode. This flaw is known as EntrySign. A privileged
attacker could possibly use this issue to cause load malicious CPU
microcode causing loss of integrity and confidentiality. (CVE-2024-36347)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- MIPS architecture;
- PowerPC architecture;
- User-Mode Linux (UML);
- x86 architecture;
- Block layer subsystem;
- Cryptographic API;
- ACPI drivers;
-
Ubuntu
Linux kernel (Raspberry Pi) vulnerabilities
vendor_ubuntu·2026-05-07·CVSS 6.4
CVE-2025-68781 [MEDIUM] Linux kernel (Raspberry Pi) vulnerabilities
Title: Linux kernel (Raspberry Pi) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Josh Eads, Kristoffer Janke, Eduardo Vela Nava, Tavis Ormandy, and Matteo
Rizzo discovered that some AMD Zen processors did not properly verify the
signature of CPU microcode. This flaw is known as EntrySign. A privileged
attacker could possibly use this issue to cause load malicious CPU
microcode causing loss of integrity and confidentiality. (CVE-2024-36347)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- MIPS architecture;
- PowerPC architecture;
- User-Mode Linux (UML);
- x86 architecture;
- Block layer subsystem;
- Cryptographic API;
-
Ubuntu
Linux kernel (Azure FIPS) vulnerabilities
vendor_ubuntu·2026-05-07·CVSS 6.4
CVE-2025-68756 [MEDIUM] Linux kernel (Azure FIPS) vulnerabilities
Title: Linux kernel (Azure FIPS) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Josh Eads, Kristoffer Janke, Eduardo Vela Nava, Tavis Ormandy, and Matteo
Rizzo discovered that some AMD Zen processors did not properly verify the
signature of CPU microcode. This flaw is known as EntrySign. A privileged
attacker could possibly use this issue to cause load malicious CPU
microcode causing loss of integrity and confidentiality. (CVE-2024-36347)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- MIPS architecture;
- PowerPC architecture;
- x86 architecture;
- Block layer subsystem;
- Cryptographic API;
- ACPI drivers;
- Network blo
Ubuntu
Linux kernel (Xilinx) vulnerabilities
vendor_ubuntu·2026-05-07·CVSS 6.4
CVE-2025-68288 [MEDIUM] Linux kernel (Xilinx) vulnerabilities
Title: Linux kernel (Xilinx) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Josh Eads, Kristoffer Janke, Eduardo Vela Nava, Tavis Ormandy, and Matteo
Rizzo discovered that some AMD Zen processors did not properly verify the
signature of CPU microcode. This flaw is known as EntrySign. A privileged
attacker could possibly use this issue to cause load malicious CPU
microcode causing loss of integrity and confidentiality. (CVE-2024-36347)
Qualys discovered that several vulnerabilities existed in the AppArmor
Linux kernel Security Module (LSM). An unprivileged local attacker could
use these issues to load, replace, and remove arbitrary AppArmor profiles
causing denial of service, exposure of sensitive information (kernel
memory), local privilege escalation,
Ubuntu
Linux kernel (Azure) vulnerabilities
vendor_ubuntu·2026-05-07·CVSS 6.4
CVE-2025-68756 [MEDIUM] Linux kernel (Azure) vulnerabilities
Title: Linux kernel (Azure) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Josh Eads, Kristoffer Janke, Eduardo Vela Nava, Tavis Ormandy, and Matteo
Rizzo discovered that some AMD Zen processors did not properly verify the
signature of CPU microcode. This flaw is known as EntrySign. A privileged
attacker could possibly use this issue to cause load malicious CPU
microcode causing loss of integrity and confidentiality. (CVE-2024-36347)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- MIPS architecture;
- PowerPC architecture;
- x86 architecture;
- Block layer subsystem;
- Cryptographic API;
- ACPI drivers;
- Network block de
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-05-07·CVSS 9.8
CVE-2026-23231 [CRITICAL] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Network drivers;
- NVME drivers;
- Netfilter;
(CVE-2026-23112, CVE-2026-23231, CVE-2026-23273)
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-l
Microsoft
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
vendor_msrc·2026-03-10·CVSS 7.8
CVE-2026-23231 [HIGH] netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
Mariner: Mariner
Linux: Linux
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
Red Hat
kernel: kernel: Privilege escalation or denial of service via use-after-free in nf_tables_addchain()
vendor_redhat·2026-03-04·CVSS 7.8
CVE-2026-23231 [HIGH] CWE-416 kernel: kernel: Privilege escalation or denial of service via use-after-free in nf_tables_addchain()
kernel: kernel: Privilege escalation or denial of service via use-after-free in nf_tables_addchain()
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
nf_tables_addchain() publishes the chain to table->chains via
list_add_tail_rcu() (in nft_chain_add()) before registering hooks.
If nf_tables_register_hook() then fails, the error path calls
nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()
with no RCU grace period in between.
This creates two use-after-free conditions:
1) Control-plane: nf_tables_dump_chains() traverses table->chains
under rcu_read_lock(). A concurrent dump can still be walking
the chain when the error path frees it.
2) Packet path: for NFPROTO_INET, nf_register_net_hook
Debian
CVE-2026-23231: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ...
vendor_debian·2026·CVSS 7.8
CVE-2026-23231 [HIGH] CVE-2026-23231: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ...
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nf_tables_addchain() nf_tables_addchain() publishes the chain to table->chains via list_add_tail_rcu() (in nft_chain_add()) before registering hooks. If nf_tables_register_hook() then fails, the error path calls nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy() with no RCU grace period in between. This creates two use-after-free conditions: 1) Control-plane: nf_tables_dump_chains() traverses table->chains under rcu_read_lock(). A concurrent dump can still be walking the chain when the error path frees it. 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly installs the IPv4 hook before IPv6 registration fails. Packets entering nft_do_chain() via
No detection rules found.
Bugzilla
CVE-2026-23231 kernel: kernel: Privilege escalation or denial of service via use-after-free in nf_tables_addchain()
bugzilla·2026-03-04·CVSS 7.8
CVE-2026-23231 [HIGH] CVE-2026-23231 kernel: kernel: Privilege escalation or denial of service via use-after-free in nf_tables_addchain()
CVE-2026-23231 kernel: kernel: Privilege escalation or denial of service via use-after-free in nf_tables_addchain()
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
nf_tables_addchain() publishes the chain to table->chains via
list_add_tail_rcu() (in nft_chain_add()) before registering hooks.
If nf_tables_register_hook() then fails, the error path calls
nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()
with no RCU grace period in between.
This creates two use-after-free conditions:
1) Control-plane: nf_tables_dump_chains() traverses table->chains
under rcu_read_lock(). A concurrent dump can still be walking
the chain when the error path frees it.
2) Packet path: for NFPROTO_INET,
Bleepingcomputer
Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws
blogs_bleepingcomputer·2026-03-10·CVSS 8.8
[HIGH] Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws
## Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws
## Lawrence Abrams
The number of bugs in each vulnerability category is listed below:
46 Elevation of Privilege Vulnerabilities
2 Security Feature Bypass Vulnerabilities
18 Remote Code Execution Vulnerabilities
10 Information Disclosure Vulnerabilities
4 Denial of Service Vulnerabilities
4 Spoofing Vulnerabilities
When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today. Therefore, the number of flaws does not include 9 Microsoft Edge flaws, Mariner, Payment Orchestrator Service, Azure, and Microsoft Devices Pricing Program flaws fixed earlier this month.
To learn more about the non-security updates released today, you can review our dedicated articles on the
Wiz
CVE-2026-23231 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-23231 [HIGH] CVE-2026-23231 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23231 :
Linux Kernel vulnerability analysis and mitigation
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
nf_tables_addchain() publishes the chain to table->chains via
list_add_tail_rcu() (in nft_chain_add()) before registering hooks.
If nf_tables_register_hook() then fails, the error path calls
nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()
with no RCU grace period in between.
This creates two use-after-free conditions:
Control-plane: nf_tables_dump_chains() traverses table->chains
under rcu_read_lock(). A concurrent dump can still be walking
the chain when the error path frees it.
Packet path: for NFPROTO_INET, nf_register_net_hook() briefly
installs the IPv4 h
https://git.kernel.org/stable/c/2a6586ecfa4ce1413daaafee250d2590e05f1a33https://git.kernel.org/stable/c/2f9a4ffeb763aec822f8ff3d1e82202d27d46d4bhttps://git.kernel.org/stable/c/7017745068a9068904e1e7a1b170a5785647cc81https://git.kernel.org/stable/c/71e99ee20fc3f662555118cf1159443250647533https://git.kernel.org/stable/c/dbd0af8083dd201f07c49110b2ee93710abdff28https://git.kernel.org/stable/c/f3fe58ce37926a10115ede527d59b91bcc05400ahttps://cert-portal.siemens.com/productcert/html/ssa-253495.html
2026-03-04
Published