{ "threat_severity" : "Moderate", "public_date" : "2026-03-20T00:00:00Z", "bugzilla" : { "description" : "kernel: netfilter: nf_tables: always walk all pending catchall elements", "id" : "2449570", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2449570" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-459", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnetfilter: nf_tables: always walk all pending catchall elements\nDuring transaction processing we might have more than one catchall element:\n1 live catchall element and 1 pending element that is coming as part of the\nnew batch.\nIf the map holding the catchall elements is also going away, its\nrequired to toggle all catchall elements and not just the first viable\ncandidate.\nOtherwise, we get:\nWARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404\nRIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]\n[..]\n__nft_set_elem_destroy+0x106/0x380 [nf_tables]\nnf_tables_abort_release+0x348/0x8d0 [nf_tables]\nnf_tables_abort+0xcf2/0x3ac0 [nf_tables]\nnfnetlink_rcv_batch+0x9c9/0x20e0 [..]", "A flaw was found in the Linux kernel's netfilter subsystem, specifically within the nf_tables component. This vulnerability occurs during transaction processing when the system incorrectly handles multiple pending catchall elements, particularly when the associated map is being removed. This can lead to a kernel warning and system instability, potentially causing a Denial of Service (DoS) for the affected system." ], "statement" : "nf_tables transaction processing can involve more than one catchall element at the same time such as one live element and one pending element from a new batch. When a map that holds catchall elements is being removed the code must toggle all catchall elements. The prior logic stopped after the first viable candidate which could leave additional pending catchall elements in an inconsistent state and later trigger a warning in nft_data_release during abort cleanup. The issue is not directly network reachable and it is triggered by control plane configuration changes rather than packet traffic. Impact is primarily denial of service in environments that treat WARN as fatal or that cannot tolerate repeated abort warnings.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23278\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23278\nhttps://lore.kernel.org/linux-cve-announce/2026032036-CVE-2026-23278-4dcc@gregkh/T" ], "name" : "CVE-2026-23278", "csaw" : false }