CVE-2026-31665
- Source
- https://cve.org/CVERecord?id=CVE-2026-31665
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31665.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-31665
- Downstream
- Published
- 2026-04-24T14:45:14.613Z
- Modified
- 2026-05-18T05:59:53.535094914Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- netfilter: nft_ct: fix use-after-free in timeout object destroy
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_ct: fix use-after-free in timeout object destroy
nftcttimeoutobjdestroy() frees the timeout object with kfree() immediately after nfctuntimeout(), without waiting for an RCU grace period. Concurrent packet processing on other CPUs may still hold RCU-protected references to the timeout object obtained via rcudereference() in nfcttimeoutdata().
Add an rcuhead to struct nfcttimeout and use kfreercu() to defer freeing until after an RCU grace period, matching the approach already used in nfnetlink_cttimeout.c.
KASAN report: BUG: KASAN: slab-use-after-free in nfconntracktcp_packet+0x1381/0x29d0 Read of size 4 at addr ffff8881035fe19c by task exploit/80
Call Trace: nfconntracktcppacket+0x1381/0x29d0 nfconntrackin+0x612/0x8b0 nfhook_slow+0x70/0x100 __iplocalout+0x1b2/0x210 tcpsendmsglocked+0x722/0x1580 _syssendto+0x2d8/0x320
Allocated by task 75: nftcttimeoutobjinit+0xf6/0x290 nftobjinit+0x107/0x1b0 nftablesnewobj+0x680/0x9c0 nfnetlinkrcvbatch+0xc29/0xe00
Freed by task 26: nftobjdestroy+0x3f/0xa0 nftablestransdestroywork+0x51c/0x5c0 processonework+0x2c4/0x5a0
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31665.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/070abdf1b04325b21a20a2a0c39a2208af107275
- https://git.kernel.org/stable/c/aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77
- https://git.kernel.org/stable/c/b42aca3660dc2627a29a38131597ca610dc451f9
- https://git.kernel.org/stable/c/c458fc1c278a65ad5381083121d39a479973ebed
- https://git.kernel.org/stable/c/c581e5c8f2b59158f62efe61c1a3dc36189081ff
- https://git.kernel.org/stable/c/d0983b48c10d1509fd795c155f8b1e832e1369ff
- https://git.kernel.org/stable/c/f16fe84879a5280f05ebbcea593a189ba0f3e79a
- https://git.kernel.org/stable/c/f8dca15a1b190787bbd03285304b569631160eda
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31665.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-31665
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7e0b2b57f01d183e1c84114f1f2287737358d748Fixedc458fc1c278a65ad5381083121d39a479973ebedFixedc581e5c8f2b59158f62efe61c1a3dc36189081ffFixedf16fe84879a5280f05ebbcea593a189ba0f3e79aFixed070abdf1b04325b21a20a2a0c39a2208af107275Fixedaa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77Fixedb42aca3660dc2627a29a38131597ca610dc451f9Fixedd0983b48c10d1509fd795c155f8b1e832e1369ffFixedf8dca15a1b190787bbd03285304b569631160eda
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced4.19.0Fixed5.10.253
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.203
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.169
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.135
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.82
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.23
- Type
- ECOSYSTEM
- Events
-
Introduced6.19.0Fixed6.19.13