In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_ct: fix use-after-free in timeout object destroy

nft_ct_timeout_obj_destroy() frees the timeout object with kfree()
immediately after nf_ct_untimeout(), without waiting for an RCU grace
period. Concurrent packet processing on other CPUs may still hold
RCU-protected references to the timeout object obtained via
rcu_dereference() in nf_ct_timeout_data().

Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer
freeing until after an RCU grace period, matching the approach already
used in nfnetlink_cttimeout.c.

KASAN report:
BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0
Read of size 4 at addr ffff8881035fe19c by task exploit/80

Call Trace:
nf_conntrack_tcp_packet+0x1381/0x29d0
nf_conntrack_in+0x612/0x8b0
nf_hook_slow+0x70/0x100
__ip_local_out+0x1b2/0x210
tcp_sendmsg_locked+0x722/0x1580
__sys_sendto+0x2d8/0x320

Allocated by task 75:
nft_ct_timeout_obj_init+0xf6/0x290
nft_obj_init+0x107/0x1b0
nf_tables_newobj+0x680/0x9c0
nfnetlink_rcv_batch+0xc29/0xe00

Freed by task 26:
nft_obj_destroy+0x3f/0xa0
nf_tables_trans_destroy_work+0x51c/0x5c0
process_one_work+0x2c4/0x5a0

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Linux Linux unaffected
Version Status Constraints
7e0b2b57f01d183e1c84114f1f2287737358d748 affected < c458fc1c278a65ad5381083121d39a479973ebed
7e0b2b57f01d183e1c84114f1f2287737358d748 affected < c581e5c8f2b59158f62efe61c1a3dc36189081ff
7e0b2b57f01d183e1c84114f1f2287737358d748 affected < f16fe84879a5280f05ebbcea593a189ba0f3e79a
7e0b2b57f01d183e1c84114f1f2287737358d748 affected < 070abdf1b04325b21a20a2a0c39a2208af107275
7e0b2b57f01d183e1c84114f1f2287737358d748 affected < aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77
7e0b2b57f01d183e1c84114f1f2287737358d748 affected < b42aca3660dc2627a29a38131597ca610dc451f9
7e0b2b57f01d183e1c84114f1f2287737358d748 affected < d0983b48c10d1509fd795c155f8b1e832e1369ff
7e0b2b57f01d183e1c84114f1f2287737358d748 affected < f8dca15a1b190787bbd03285304b569631160eda
Linux Linux affected
Version Status Constraints
4.19 affected
0 unaffected < 4.19
5.10.253 unaffected ≤ 5.10.*
5.15.203 unaffected ≤ 5.15.*
6.1.169 unaffected ≤ 6.1.*
6.6.135 unaffected ≤ 6.6.*
6.12.82 unaffected ≤ 6.12.*
6.18.23 unaffected ≤ 6.18.*
6.19.13 unaffected ≤ 6.19.*
7.0 unaffected ≤ *

No data.

No data.

No data.

Project Subscriptions

Vendors Products
Linux Subscribe
Linux Kernel Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://git.kernel.org/stable/c/070abdf1b04325b21a20a2a0c39a2208af107275 cve-icon cve-icon
https://git.kernel.org/stable/c/aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77 cve-icon cve-icon
https://git.kernel.org/stable/c/b42aca3660dc2627a29a38131597ca610dc451f9 cve-icon cve-icon
https://git.kernel.org/stable/c/c458fc1c278a65ad5381083121d39a479973ebed cve-icon cve-icon
https://git.kernel.org/stable/c/c581e5c8f2b59158f62efe61c1a3dc36189081ff cve-icon cve-icon
https://git.kernel.org/stable/c/d0983b48c10d1509fd795c155f8b1e832e1369ff cve-icon cve-icon
https://git.kernel.org/stable/c/f16fe84879a5280f05ebbcea593a189ba0f3e79a cve-icon cve-icon
https://git.kernel.org/stable/c/f8dca15a1b190787bbd03285304b569631160eda cve-icon cve-icon
History

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: fix use-after-free in timeout object destroy nft_ct_timeout_obj_destroy() frees the timeout object with kfree() immediately after nf_ct_untimeout(), without waiting for an RCU grace period. Concurrent packet processing on other CPUs may still hold RCU-protected references to the timeout object obtained via rcu_dereference() in nf_ct_timeout_data(). Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer freeing until after an RCU grace period, matching the approach already used in nfnetlink_cttimeout.c. KASAN report: BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0 Read of size 4 at addr ffff8881035fe19c by task exploit/80 Call Trace: nf_conntrack_tcp_packet+0x1381/0x29d0 nf_conntrack_in+0x612/0x8b0 nf_hook_slow+0x70/0x100 __ip_local_out+0x1b2/0x210 tcp_sendmsg_locked+0x722/0x1580 __sys_sendto+0x2d8/0x320 Allocated by task 75: nft_ct_timeout_obj_init+0xf6/0x290 nft_obj_init+0x107/0x1b0 nf_tables_newobj+0x680/0x9c0 nfnetlink_rcv_batch+0xc29/0xe00 Freed by task 26: nft_obj_destroy+0x3f/0xa0 nf_tables_trans_destroy_work+0x51c/0x5c0 process_one_work+0x2c4/0x5a0
Title netfilter: nft_ct: fix use-after-free in timeout object destroy
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-24T14:45:14.613Z

Reserved: 2026-03-09T15:48:24.129Z

Link: CVE-2026-31665

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-24T15:16:46.157

Modified: 2026-04-24T17:51:40.810

Link: CVE-2026-31665

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses

No weakness.