CVE-2026-31665

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft ct: fix use-after-free in timeout object destroy

nft ct timeout obj destroy() frees the timeout object with kfree() immediately after nf ct untimeout(), without waiting for an RCU grace period. Concurrent packet processing on other CPUs may still hold RCU-protected references to the timeout object obtained via rcu dereference() in nf ct timeout data().

Add an rcu head to struct nf ct timeout and use kfree rcu() to defer freeing until after an RCU grace period, matching the approach already used in nfnetlink cttimeout.c.

KASAN report: BUG: KASAN: slab-use-after-free in nf conntrack tcp packet+0x1381/0x29d0 Read of size 4 at addr ffff8881035fe19c by task exploit/80

Call Trace: nf conntrack tcp packet+0x1381/0x29d0 nf conntrack in+0x612/0x8b0 nf hook slow+0x70/0x100 ip local out+0x1b2/0x210 tcp sendmsg locked+0x722/0x1580 sys sendto+0x2d8/0x320

Allocated by task 75: nft ct timeout obj init+0xf6/0x290 nft obj init+0x107/0x1b0 nf tables newobj+0x680/0x9c0 nfnetlink rcv batch+0xc29/0xe00

Freed by task 26: nft obj destroy+0x3f/0xa0 nf tables trans destroy work+0x51c/0x5c0 process one work+0x2c4/0x5a0