{ "threat_severity" : "Moderate", "public_date" : "2026-04-24T00:00:00Z", "bugzilla" : { "description" : "kernel: netfilter: nft_ct: fix use-after-free in timeout object destroy", "id" : "2461577", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461577" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnetfilter: nft_ct: fix use-after-free in timeout object destroy\nnft_ct_timeout_obj_destroy() frees the timeout object with kfree()\nimmediately after nf_ct_untimeout(), without waiting for an RCU grace\nperiod. Concurrent packet processing on other CPUs may still hold\nRCU-protected references to the timeout object obtained via\nrcu_dereference() in nf_ct_timeout_data().\nAdd an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer\nfreeing until after an RCU grace period, matching the approach already\nused in nfnetlink_cttimeout.c.\nKASAN report:\nBUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0\nRead of size 4 at addr ffff8881035fe19c by task exploit/80\nCall Trace:\nnf_conntrack_tcp_packet+0x1381/0x29d0\nnf_conntrack_in+0x612/0x8b0\nnf_hook_slow+0x70/0x100\n__ip_local_out+0x1b2/0x210\ntcp_sendmsg_locked+0x722/0x1580\n__sys_sendto+0x2d8/0x320\nAllocated by task 75:\nnft_ct_timeout_obj_init+0xf6/0x290\nnft_obj_init+0x107/0x1b0\nnf_tables_newobj+0x680/0x9c0\nnfnetlink_rcv_batch+0xc29/0xe00\nFreed by task 26:\nnft_obj_destroy+0x3f/0xa0\nnf_tables_trans_destroy_work+0x51c/0x5c0\nprocess_one_work+0x2c4/0x5a0", "A flaw was found in the Linux kernel's netfilter connection tracking (nf_conntrack) component. This vulnerability is a use-after-free error, occurring when a timeout object is deallocated prematurely without waiting for an RCU (Read-Copy-Update) grace period. This allows concurrent packet processing to access memory that has already been freed. An attacker could exploit this timing issue to cause a system crash, leading to a denial of service." ], "statement" : "nftables connection-tracking timeout objects could be destroyed while references remained, causing UAF in teardown. Red Hat advises nftables users to consume fixed kernels; broad nft/nf_tables unload is rarely practical on firewalled hosts.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31665\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31665\nhttps://lore.kernel.org/linux-cve-announce/2026042405-CVE-2026-31665-f586@gregkh/T" ], "name" : "CVE-2026-31665", "csaw" : false }