CVE-2026-23458Improper Update of Reference Count in Linux

CWE-911Improper Update of Reference Count7 documents7 sources
Severity
4.4MEDIUM
No vector
EPSS
0.0%
top 90.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LinuxLinux KernelDebian Linux
Timeline
PublishedApr 3

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the conntrack reference immediately after netlink_dump_start(). When the dump spans multiple rounds, the second recvmsg() triggers the dump callback which dereferences the now-freed conntrack via nfct_help(ct), leading to a use-

Affected Packages3 packages

Debianlinux/linux_kernel< 6.19.10-1
CVEListV5linux/linuxe844a928431fa8f1359d1f4f2cef53d9b446bf52bdf2724eefd4455a66863abb025bab8d3aa98c57+6
debiandebian/linux< linux 6.19.10-1 (forky)

🔴Vulnerability Details

2
OSV
CVE-2026-23458: In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() ctnetlink_dump2026-04-03
GHSA
GHSA-pqg4-x7w2-6f65: In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() ctnetlink_du2026-04-03

📋Vendor Advisories

2
Red Hat
kernel: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()2026-04-03
Debian
CVE-2026-23458: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-23458 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-23458 kernel: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()2026-04-03