Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
High

Use-after-free in Linux kernel netfilter ctnetlink_dump_exp_ct()

IdentifiersCVE-2026-23458CWE-416· Use After Free

CVE-2026-23458 is a use-after-free vulnerability in the Linux kernel netfilter ctnetlink component, specifically in ctnetlink_dump_exp_ct(). The function stores a conntrack pointer in cb->data for use by the netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the conntrack reference immediately after netlink_dump_start(). If the netlink dump spans multiple rounds, a subsequent recvmsg() can invoke the dump callback after the conntrack object has already been freed, and nfct_help(ct) then dereferences freed memory via ct->ext. The root cause is missing netlink_dump_control .start and .done callbacks to retain and release the conntrack reference across the full lifetime of the dump operation. The fix adds those callbacks and also moves the nfct_help() call after the cb->args[0] early-return check to avoid unnecessary dereferencing.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can trigger a kernel slab use-after-free during netlink dump processing in the conntrack subsystem. Because the freed object is later dereferenced in kernel context, the result can include kernel memory corruption, denial of service through kernel crash, and potentially compromise of confidentiality, integrity, and availability depending on exploitability in the affected environment. Published CVSS metrics in the provided content characterize the issue as locally exploitable with low privileges and no user interaction.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting local access to systems and limiting which users or services can interact with nfnetlink/ctnetlink interfaces capable of initiating conntrack dump operations. Minimize availability of untrusted local code execution paths, including containers or workloads with sufficient privileges to access the affected netlink functionality. These are only temporary risk-reduction measures; the definitive mitigation is to deploy a fixed kernel.

Remediation

Patch, then assume compromise.

Apply a kernel update that includes the upstream fix for CVE-2026-23458. The remediation is to use a kernel build where ctnetlink dump handling retains the conntrack reference for the duration of the dump via netlink_dump_control .start and .done callbacks, and where nfct_help() is invoked only after the early-return condition check. Vendor advisories in the provided content indicate fixed packages are available across multiple SUSE product lines; administrators should install the relevant kernel security update and reboot into the patched kernel.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

4 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-23458
NVD
nvd.nist.gov/vuln/detail/CVE-2026-23458
MITRE CWE · CWE-416
Use After Free
Patch
git.kernel.org/stable/c/04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56
Patch
git.kernel.org/stable/c/5cb81eeda909dbb2def209dd10636b51549a3f8a
Patch
git.kernel.org/stable/c/9821b47f669eb82791fa0b1a6ebaf9aa219bea72
Patch
git.kernel.org/stable/c/bdf2724eefd4455a66863abb025bab8d3aa98c57
Patch
git.kernel.org/stable/c/cd541f15b60e2257441398cf495d978f816d09f8
Patch
git.kernel.org/stable/c/d8cd0efbccc5cfb0a80da744a7da76e1333ab925
Patch
git.kernel.org/stable/c/f025171feef2ac65663d7986f1d5ff0c28d6b2a9
Patch
git.kernel.org/stable/c/f04cc86d59906513d2d62183b882966fc0ae0390