{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-25T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: netfilter: nf_tables: clone set on flush only",
    "id" : "2451183",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451183"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-770",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnetfilter: nf_tables: clone set on flush only\nSyzbot with fault injection triggered a failing memory allocation with\nGFP_KERNEL which results in a WARN splat:\niter.err\nWARNING: net/netfilter/nf_tables_api.c:845 at nft_map_deactivate+0x34e/0x3c0 net/netfilter/nf_tables_api.c:845, CPU#0: syz.0.17/5992\nModules linked in:\nCPU: 0 UID: 0 PID: 5992 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026\nRIP: 0010:nft_map_deactivate+0x34e/0x3c0 net/netfilter/nf_tables_api.c:845\nCode: 8b 05 86 5a 4e 09 48 3b 84 24 a0 00 00 00 75 62 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 63 6d fa f7 90 <0f> 0b 90 43\n+80 7c 35 00 00 0f 85 23 fe ff ff e9 26 fe ff ff 89 d9\nRSP: 0018:ffffc900045af780 EFLAGS: 00010293\nRAX: ffffffff89ca45bd RBX: 00000000fffffff4 RCX: ffff888028111e40\nRDX: 0000000000000000 RSI: 00000000fffffff4 RDI: 0000000000000000\nRBP: ffffc900045af870 R08: 0000000000400dc0 R09: 00000000ffffffff\nR10: dffffc0000000000 R11: fffffbfff1d141db R12: ffffc900045af7e0\nR13: 1ffff920008b5f24 R14: dffffc0000000000 R15: ffffc900045af920\nFS:  000055557a6a5500(0000) GS:ffff888125496000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fb5ea271fc0 CR3: 000000003269e000 CR4: 00000000003526f0\nCall Trace:\n<TASK>\n__nft_release_table+0xceb/0x11f0 net/netfilter/nf_tables_api.c:12115\nnft_rcv_nl_event+0xc25/0xdb0 net/netfilter/nf_tables_api.c:12187\nnotifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85\nblocking_notifier_call_chain+0x6a/0x90 kernel/notifier.c:380\nnetlink_release+0x123b/0x1ad0 net/netlink/af_netlink.c:761\n__sock_release net/socket.c:662 [inline]\nsock_close+0xc3/0x240 net/socket.c:1455\nRestrict set clone to the flush set command in the preparation phase.\nAdd NFT_ITER_UPDATE_CLONE and use it for this purpose, update the rbtree\nand pipapo backends to only clone the set when this iteration type is\nused.\nAs for the existing NFT_ITER_UPDATE type, update the pipapo backend to\nuse the existing set clone if available, otherwise use the existing set\nrepresentation. After this update, there is no need to clone a set that\nis being deleted, this includes bound anonymous set.\nAn alternative approach to NFT_ITER_UPDATE_CLONE is to add a .clone\ninterface and call it from the flush set path.", "A flaw was found in the Linux kernel's netfilter nf_tables component. A local or privileged user could trigger a failing memory allocation during a set flush operation. This vulnerability, related to how nf_tables handles set cloning, can lead to a kernel warning (WARN splat), potentially causing system instability or a denial of service." ],
  "statement" : "This issue was discovered via syzkaller with fault injection, requiring artificial memory pressure conditions to trigger. The result is a WARN splat rather than a crash or exploitable condition. The nf_tables subsystem requires CAP_NET_ADMIN capabilities to manipulate firewall rules, limiting this to privileged users or containers with network admin capabilities.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23385\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23385\nhttps://lore.kernel.org/linux-cve-announce/2026032543-CVE-2026-23385-3414@gregkh/T" ],
  "name" : "CVE-2026-23385",
  "csaw" : false
}