CVE Catalog

CVE-2026-53000

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

In the Linux kernel, a vulnerability in the netfilter NAT subsystem was found where nf_hook_ops structures are not properly deferred when freed. This can lead to memory leaks or use-after-free when dumping active hooks via nfnetlink_hook.

Risk Assessment

The organization faces potential system instability or information disclosure about firewall configuration if an attacker gains access to hook dumps via nfnetlink_hook. The vulnerability could be exploited for privilege escalation or DoS attacks.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit using kfree_rcu for ops). Check for the patch in your distribution and apply it as part of your vulnerability management process.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: netfilter: nat: use kfree_rcu to release ops Florian Westphal says: "Historically this is not an issue, even for normal base hooks: the data path doesn't use the original nf_hook_ops that are used to register the callbacks. However, in v5.14 I added the ability to dump the active netfilter hooks from userspace. This code will peek back into the nf_hook_ops that are available at the tail of the pointer-array blob used by the datapath. The nat hooks are special, because they are called indirectly from the central nat dispatcher hook. They are currently invisible to the nfnl hook dump subsystem though. But once that changes the nat ops structures have to be deferred too." Update nf_nat_register_fn() to deal with partial exposition of the hooks from error path which can be also an issue for nfnetlink_hook.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS