{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23399", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.012Z", "datePublished": "2026-03-28T07:16:09.888Z", "dateUpdated": "2026-05-11T22:06:09.495Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:06:09.495Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnf_tables: nft_dynset: fix possible stateful expression memleak in error path\n\nIf cloning the second stateful expression in the element via GFP_ATOMIC\nfails, then the first stateful expression remains in place without being\nreleased.\n\n \u00a0 unreferenced object (percpu) 0x607b97e9cab8 (size 16):\n \u00a0 \u00a0 comm \"softirq\", pid 0, jiffies 4294931867\n \u00a0 \u00a0 hex dump (first 16 bytes on cpu 3):\n \u00a0 \u00a0 \u00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n \u00a0 \u00a0 backtrace (crc 0):\n \u00a0 \u00a0 \u00a0 pcpu_alloc_noprof+0x453/0xd80\n \u00a0 \u00a0 \u00a0 nft_counter_clone+0x9c/0x190 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_expr_clone+0x8f/0x1b0 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_dynset_new+0x2cb/0x5f0 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_rhash_update+0x236/0x11c0 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_dynset_eval+0x11f/0x670 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_do_chain+0x253/0x1700 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_do_chain_ipv4+0x18d/0x270 [nf_tables]\n \u00a0 \u00a0 \u00a0 nf_hook_slow+0xaa/0x1e0\n \u00a0 \u00a0 \u00a0 ip_local_deliver+0x209/0x330"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/netfilter/nf_tables.h", "net/netfilter/nf_tables_api.c", "net/netfilter/nft_dynset.c"], "versions": [{"version": "563125a73ac30d7036ae69ca35c40500562c1de4", "lessThan": "e6661add2d9c6913e1dad97336595e23a2bed195", "status": "affected", "versionType": "git"}, {"version": "563125a73ac30d7036ae69ca35c40500562c1de4", "lessThan": "d1354873cbe3b344899c4311ac05897fd83e3f21", "status": "affected", "versionType": "git"}, {"version": "563125a73ac30d7036ae69ca35c40500562c1de4", "lessThan": "31641c682db73353e4647e40735c7f2a75ff58ef", "status": "affected", "versionType": "git"}, {"version": "563125a73ac30d7036ae69ca35c40500562c1de4", "lessThan": "c88a9fd26cee365bec932196f76175772a941cca", "status": "affected", "versionType": "git"}, {"version": "563125a73ac30d7036ae69ca35c40500562c1de4", "lessThan": "0548a13b5a145b16e4da0628b5936baf35f51b43", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/netfilter/nf_tables.h", "net/netfilter/nf_tables_api.c", "net/netfilter/nft_dynset.c"], "versions": [{"version": "5.11", "status": "affected"}, {"version": "0", "lessThan": "5.11", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.136", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "6.6.136"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e6661add2d9c6913e1dad97336595e23a2bed195"}, {"url": "https://git.kernel.org/stable/c/d1354873cbe3b344899c4311ac05897fd83e3f21"}, {"url": "https://git.kernel.org/stable/c/31641c682db73353e4647e40735c7f2a75ff58ef"}, {"url": "https://git.kernel.org/stable/c/c88a9fd26cee365bec932196f76175772a941cca"}, {"url": "https://git.kernel.org/stable/c/0548a13b5a145b16e4da0628b5936baf35f51b43"}], "title": "nf_tables: nft_dynset: fix possible stateful expression memleak in error path", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0618528B-8039-4E87-8695-397AE7D4B4E5", "versionEndExcluding": "6.12.78", "versionStartIncluding": "5.11.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5571059-6552-48E7-9BEF-3E358C387171", "versionEndExcluding": "6.18.20", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "96D34333-38BE-4414-9E79-6EB764329581", "versionEndExcluding": "6.19.10", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.11:-:*:*:*:*:*:*", "matchCriteriaId": "7AD3510E-E8FA-47F3-9AD5-D8EA4A2719D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnf_tables: nft_dynset: fix possible stateful expression memleak in error path\n\nIf cloning the second stateful expression in the element via GFP_ATOMIC\nfails, then the first stateful expression remains in place without being\nreleased.\n\n \u00a0 unreferenced object (percpu) 0x607b97e9cab8 (size 16):\n \u00a0 \u00a0 comm \"softirq\", pid 0, jiffies 4294931867\n \u00a0 \u00a0 hex dump (first 16 bytes on cpu 3):\n \u00a0 \u00a0 \u00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n \u00a0 \u00a0 backtrace (crc 0):\n \u00a0 \u00a0 \u00a0 pcpu_alloc_noprof+0x453/0xd80\n \u00a0 \u00a0 \u00a0 nft_counter_clone+0x9c/0x190 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_expr_clone+0x8f/0x1b0 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_dynset_new+0x2cb/0x5f0 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_rhash_update+0x236/0x11c0 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_dynset_eval+0x11f/0x670 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_do_chain+0x253/0x1700 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_do_chain_ipv4+0x18d/0x270 [nf_tables]\n \u00a0 \u00a0 \u00a0 nf_hook_slow+0xaa/0x1e0\n \u00a0 \u00a0 \u00a0 ip_local_deliver+0x209/0x330"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnf_tables: nft_dynset: corregir posible fuga de memoria de expresi\u00f3n con estado en la ruta de error\n\nSi la clonaci\u00f3n de la segunda expresi\u00f3n con estado en el elemento a trav\u00e9s de GFP_ATOMIC falla, entonces la primera expresi\u00f3n con estado permanece en su lugar sin ser liberada.\n\n   objeto sin referencia (por CPU) 0x607b97e9cab8 (tama\u00f1o 16):\n     comm 'softirq', pid 0, jiffies 4294931867\n     volcado hexadecimal (primeros 16 bytes en la CPU 3):\n       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n     rastreo de pila (crc 0):\n       pcpu_alloc_noprof+0x453/0xd80\n       nft_counter_clone+0x9c/0x190 [nf_tables]\n       nft_expr_clone+0x8f/0x1b0 [nf_tables]\n       nft_dynset_new+0x2cb/0x5f0 [nf_tables]\n       nft_rhash_update+0x236/0x11c0 [nf_tables]\n       nft_dynset_eval+0x11f/0x670 [nf_tables]\n       nft_do_chain+0x253/0x1700 [nf_tables]\n       nft_do_chain_ipv4+0x18d/0x270 [nf_tables]\n       nf_hook_slow+0xaa/0x1e0\n       ip_local_deliver+0x209/0x330"}], "id": "CVE-2026-23399", "lastModified": "2026-04-27T14:16:30.913", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-28T08:15:56.720", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0548a13b5a145b16e4da0628b5936baf35f51b43"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/31641c682db73353e4647e40735c7f2a75ff58ef"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c88a9fd26cee365bec932196f76175772a941cca"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d1354873cbe3b344899c4311ac05897fd83e3f21"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e6661add2d9c6913e1dad97336595e23a2bed195"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: nf_tables: nft_dynset: fix possible stateful expression memleak in error path", "id": "2452569", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452569"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-772", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnf_tables: nft_dynset: fix possible stateful expression memleak in error path\nIf cloning the second stateful expression in the element via GFP_ATOMIC\nfails, then the first stateful expression remains in place without being\nreleased.\n\u00a0 unreferenced object (percpu) 0x607b97e9cab8 (size 16):\n\u00a0 \u00a0 comm \"softirq\", pid 0, jiffies 4294931867\n\u00a0 \u00a0 hex dump (first 16 bytes on cpu 3):\n\u00a0 \u00a0 \u00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n\u00a0 \u00a0 backtrace (crc 0):\n\u00a0 \u00a0 \u00a0 pcpu_alloc_noprof+0x453/0xd80\n\u00a0 \u00a0 \u00a0 nft_counter_clone+0x9c/0x190 [nf_tables]\n\u00a0 \u00a0 \u00a0 nft_expr_clone+0x8f/0x1b0 [nf_tables]\n\u00a0 \u00a0 \u00a0 nft_dynset_new+0x2cb/0x5f0 [nf_tables]\n\u00a0 \u00a0 \u00a0 nft_rhash_update+0x236/0x11c0 [nf_tables]\n\u00a0 \u00a0 \u00a0 nft_dynset_eval+0x11f/0x670 [nf_tables]\n\u00a0 \u00a0 \u00a0 nft_do_chain+0x253/0x1700 [nf_tables]\n\u00a0 \u00a0 \u00a0 nft_do_chain_ipv4+0x18d/0x270 [nf_tables]\n\u00a0 \u00a0 \u00a0 nf_hook_slow+0xaa/0x1e0\n\u00a0 \u00a0 \u00a0 ip_local_deliver+0x209/0x330", "A flaw was found in the Linux kernel's nf_tables component. This memory leak vulnerability occurs when cloning a stateful expression fails, leading to an unreleased expression. This can result in a Denial of Service (DoS) due to resource exhaustion."], "name": "CVE-2026-23399", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23399\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23399\nhttps://lore.kernel.org/linux-cve-announce/2026032820-CVE-2026-23399-60d0@gregkh/T"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[563125a73ac30d7036ae69ca35c40500562c1de4,d1354873cbe3b344899c4311ac05897fd83e3f21)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[563125a73ac30d7036ae69ca35c40500562c1de4,31641c682db73353e4647e40735c7f2a75ff58ef)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[563125a73ac30d7036ae69ca35c40500562c1de4,c88a9fd26cee365bec932196f76175772a941cca)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[563125a73ac30d7036ae69ca35c40500562c1de4,0548a13b5a145b16e4da0628b5936baf35f51b43)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.11"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,5.11)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T21:55:36.870022+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that incorporates commit 0548a13b5a145b16e4da0628b5936baf35f51b43, which addresses the nft_dynset memory leak.", "If an upgrade is not immediately possible, avoid using nftables stateful expressions that rely on nft_dynset until the patch is applied.", "Continuously review vendor security bulletins for updates or related advisories."], "summary": {"action": "Apply Patch", "impact": "Denial of Service via kernel memory exhaustion"}, "threat_synthesis": {"affected_systems": "Linux kernels that incorporate the nftables nft_dynset code are potentially affected; no specific version information is given in the advisory, so it is unclear which releases contain the flaw.", "description_and_impact": "The flaw is a memory leak in the Linux kernel's nftables nft_dynset module. When cloning a second stateful expression fails, the first remains allocated and is never freed, creating an unreferenced per\u2011CPU object. If an attacker can repeatedly trigger this error path, the unreleased objects accumulate, exhausting kernel RAM and potentially destabilising the system, leading to denial of service.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity. The EPSS score of less than 1% suggests the of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through manipulated nftables rules or crafted network traffic that forces the clone operation to fail, a scenario that is inferred from the error path described; this inference requires privileged or local control of nftables. As a result, exploitation would most readily occur from a local attacker with sufficient privileges, while remote exploitation is unlikely without additional privileges."}}}}, "created": "2026-03-29T20:32:40.497260+00:00", "updated": "2026-04-28T22:00:14.154944+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}