CVE-2026-23458

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: fix use-after-free in ctnetlinkdumpexp_ct()

ctnetlinkdumpexpct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlinkexpctdumptable(), but drops the conntrack reference immediately after netlinkdumpstart(). When the dump spans multiple rounds, the second recvmsg() triggers the dump callback which dereferences the now-freed conntrack via nfcthelp(ct), leading to a use-after-free on ct->ext.

The bug is that the netlinkdumpcontrol has no .start or .done callbacks to manage the conntrack reference across dump rounds. Other dump functions in the same file (e.g. ctnetlinkgetconntrack) properly use .start/.done callbacks for this purpose.

Fix this by adding .start and .done callbacks that hold and release the conntrack reference for the duration of the dump, and move the nfct_help() call after the cb->args[0] early-return check in the dump callback to avoid dereferencing ct->ext unnecessarily.

BUG: KASAN: slab-use-after-free in ctnetlinkexpctdumptable+0x4f/0x2e0 Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133

CPU: 1 UID: 0 PID: 133 Comm: ctnetlinkpoc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY Call Trace: <TASK> ctnetlinkexpctdumptable+0x4f/0x2e0 netlinkdump+0x333/0x880 netlinkrecvmsg+0x3e2/0x4b0 ? aaskperm+0x184/0x450 sockrecvmsg+0xde/0xf0

Allocated by task 133: kmemcachealloc_noprof+0x134/0x440 __nfconntrackalloc+0xa8/0x2b0 ctnetlinkcreateconntrack+0xa1/0x900 ctnetlinknewconntrack+0x3cf/0x7d0 nfnetlinkrcvmsg+0x48e/0x510 netlinkrcvskb+0xc9/0x1f0 nfnetlinkrcv+0xdb/0x220 netlinkunicast+0x3ec/0x590 netlink_sendmsg+0x397/0x690 _syssendmsg+0xf4/0x180

Freed by task 0: slabfreeafterrcudebug+0xad/0x1e0 rcu_core+0x5c3/0x9c0