CVE-2026-23391

HIGH

netfilter: xt_CT: drop pending enqueued packets on template removal

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_CT: drop pending enqueued packets on template removal Templates refer to objects that can go away while packets are sitting in nfqueue refer to: - helper, this can be an issue on module removal. - timeout policy, nfnetlink_cttimeout might remove it. The use of templates with zone and event cache filter are safe, since this just copies values. Flush these enqueued packets in case the template rule gets removed.

Scores

CVSS v3 7.8
EPSS 0.0013
EPSS Percentile 2.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (30)
linux/Kernel 3.4.0 - 5.10.253linux
linux/Kernel 3.4.0 - 6.1.167linux
linux/Kernel 5.11.0 - 5.15.203linux
linux/Kernel 5.16.0 - 6.1.167linux
linux/Kernel 6.13.0 - 6.18.20linux
linux/Kernel 6.19.0 - 6.19.10linux
linux/Kernel 6.2.0 - 6.6.130linux
linux/Kernel 6.7.0 - 6.12.78linux
Linux/Linux < 3.4
Linux/Linux 24de58f465165298aaa8f286b2592f0163706cfe - 19a230dec6bb8928e3f96387f9085cf2c79bcef9
... and 20 more
Published Mar 25, 2026
Tracked Since Mar 25, 2026