PT-2026-27750 · Linux · Linux
Published
2026-03-25
·
Updated
2026-03-25
·
CVE-2026-23385
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf tables: clone set on flush only
Syzbot with fault injection triggered a failing memory allocation with
GFP KERNEL which results in a WARN splat:
iter.err
WARNING: net/netfilter/nf tables api.c:845 at nft map deactivate+0x34e/0x3c0 net/netfilter/nf tables api.c:845, CPU#0: syz.0.17/5992
Modules linked in:
CPU: 0 UID: 0 PID: 5992 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:nft map deactivate+0x34e/0x3c0 net/netfilter/nf tables api.c:845
Code: 8b 05 86 5a 4e 09 48 3b 84 24 a0 00 00 00 75 62 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 63 6d fa f7 90 <0f> 0b 90 43
+80 7c 35 00 00 0f 85 23 fe ff ff e9 26 fe ff ff 89 d9
RSP: 0018:ffffc900045af780 EFLAGS: 00010293
RAX: ffffffff89ca45bd RBX: 00000000fffffff4 RCX: ffff888028111e40
RDX: 0000000000000000 RSI: 00000000fffffff4 RDI: 0000000000000000
RBP: ffffc900045af870 R08: 0000000000400dc0 R09: 00000000ffffffff
R10: dffffc0000000000 R11: fffffbfff1d141db R12: ffffc900045af7e0
R13: 1ffff920008b5f24 R14: dffffc0000000000 R15: ffffc900045af920
FS: 000055557a6a5500(0000) GS:ffff888125496000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb5ea271fc0 CR3: 000000003269e000 CR4: 00000000003526f0
Call Trace:
nft release table+0xceb/0x11f0 net/netfilter/nf tables api.c:12115
nft rcv nl event+0xc25/0xdb0 net/netfilter/nf tables api.c:12187
notifier call chain+0x19d/0x3a0 kernel/notifier.c:85
blocking notifier call chain+0x6a/0x90 kernel/notifier.c:380
netlink release+0x123b/0x1ad0 net/netlink/af netlink.c:761
sock release net/socket.c:662 [inline]
sock close+0xc3/0x240 net/socket.c:1455
Restrict set clone to the flush set command in the preparation phase.
Add NFT ITER UPDATE CLONE and use it for this purpose, update the rbtree
and pipapo backends to only clone the set when this iteration type is
used.
As for the existing NFT ITER UPDATE type, update the pipapo backend to
use the existing set clone if available, otherwise use the existing set
representation. After this update, there is no need to clone a set that
is being deleted, this includes bound anonymous set.
An alternative approach to NFT ITER UPDATE CLONE is to add a .clone
interface and call it from the flush set path.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux