CVE-2026-23399

If cloning the second stateful expression in the element via GFP_ATOMIC fails, then the first stateful expression remains in place without being released.

unreferenced object (percpu) 0x607b97e9cab8 (size 16): comm "softirq", pid 0, jiffies 4294931867 hex dump (first 16 bytes on cpu 3): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace (crc 0): pcpuallocnoprof+0x453/0xd80 nftcounterclone+0x9c/0x190 [nftables] nftexprclone+0x8f/0x1b0 [nftables] nftdynsetnew+0x2cb/0x5f0 [nftables] nftrhashupdate+0x236/0x11c0 [nftables] nftdynseteval+0x11f/0x670 [nftables] nftdochain+0x253/0x1700 [nftables] nftdochainipv4+0x18d/0x270 [nftables] nfhookslow+0xaa/0x1e0 iplocaldeliver+0x209/0x330

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23399.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

563125a73ac30d7036ae69ca35c40500562c1de4

Fixed

d1354873cbe3b344899c4311ac05897fd83e3f21

Fixed

31641c682db73353e4647e40735c7f2a75ff58ef

Fixed

c88a9fd26cee365bec932196f76175772a941cca

Fixed

0548a13b5a145b16e4da0628b5936baf35f51b43

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23399.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

6.12.78

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.20

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.10

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23399.json"