Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-23385— netfilter: nf_tables: clone set on flush only

EPSS 0.01% · P3
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-23385

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
netfilter: nf_tables: clone set on flush only
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: clone set on flush only Syzbot with fault injection triggered a failing memory allocation with GFP_KERNEL which results in a WARN splat: iter.err WARNING: net/netfilter/nf_tables_api.c:845 at nft_map_deactivate+0x34e/0x3c0 net/netfilter/nf_tables_api.c:845, CPU#0: syz.0.17/5992 Modules linked in: CPU: 0 UID: 0 PID: 5992 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 RIP: 0010:nft_map_deactivate+0x34e/0x3c0 net/netfilter/nf_tables_api.c:845 Code: 8b 05 86 5a 4e 09 48 3b 84 24 a0 00 00 00 75 62 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 63 6d fa f7 90 <0f> 0b 90 43 +80 7c 35 00 00 0f 85 23 fe ff ff e9 26 fe ff ff 89 d9 RSP: 0018:ffffc900045af780 EFLAGS: 00010293 RAX: ffffffff89ca45bd RBX: 00000000fffffff4 RCX: ffff888028111e40 RDX: 0000000000000000 RSI: 00000000fffffff4 RDI: 0000000000000000 RBP: ffffc900045af870 R08: 0000000000400dc0 R09: 00000000ffffffff R10: dffffc0000000000 R11: fffffbfff1d141db R12: ffffc900045af7e0 R13: 1ffff920008b5f24 R14: dffffc0000000000 R15: ffffc900045af920 FS: 000055557a6a5500(0000) GS:ffff888125496000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb5ea271fc0 CR3: 000000003269e000 CR4: 00000000003526f0 Call Trace: <TASK> __nft_release_table+0xceb/0x11f0 net/netfilter/nf_tables_api.c:12115 nft_rcv_nl_event+0xc25/0xdb0 net/netfilter/nf_tables_api.c:12187 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 blocking_notifier_call_chain+0x6a/0x90 kernel/notifier.c:380 netlink_release+0x123b/0x1ad0 net/netlink/af_netlink.c:761 __sock_release net/socket.c:662 [inline] sock_close+0xc3/0x240 net/socket.c:1455 Restrict set clone to the flush set command in the preparation phase. Add NFT_ITER_UPDATE_CLONE and use it for this purpose, update the rbtree and pipapo backends to only clone the set when this iteration type is used. As for the existing NFT_ITER_UPDATE type, update the pipapo backend to use the existing set clone if available, otherwise use the existing set representation. After this update, there is no need to clone a set that is being deleted, this includes bound anonymous set. An alternative approach to NFT_ITER_UPDATE_CLONE is to add a .clone interface and call it from the flush set path.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于内存分配失败,可能导致内核警告。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 3f1d886cc7c3525d4dbeee24bfa9bb3fe0d48ddc ~ 9154945a6394029822bd08c24cef5a3f86d0424a -
LinuxLinux 6.10 -

II. Public POCs for CVE-2026-23385

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-23385

登录查看更多情报信息。

Same Patch Batch · Linux · 2026-03-25 · 116 CVEs total

CVE-2026-233958.8 HIGHBluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
CVE-2026-317888.2 HIGHxen/privcmd: restrict usage in unprivileged domU
CVE-2026-233407.8 HIGHnet: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
CVE-2026-233367.8 HIGHwifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
CVE-2026-233507.8 HIGHdrm/xe/queue: Call fini on exec queue creation fail
CVE-2026-233517.8 HIGHnetfilter: nft_set_pipapo: split gc into unlink and reclaim phase
CVE-2026-233177.8 HIGHdrm/vmwgfx: Return the correct value in vmw_translate_ptr functions
CVE-2026-233067.8 HIGHscsi: pm8001: Fix use-after-free in pm8001_queue_command()
CVE-2026-233727.8 HIGHnfc: rawsock: cancel tx_work before socket teardown
CVE-2026-233787.8 HIGHnet/sched: act_ife: Fix metalist update behavior
CVE-2026-233837.8 HIGHbpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing
CVE-2026-233917.8 HIGHnetfilter: xt_CT: drop pending enqueued packets on template removal
CVE-2026-233927.8 HIGHnetfilter: nf_tables: release flowtable after rcu grace period on error
CVE-2026-233937.8 HIGHbridge: cfm: Fix race condition in peer_mep deletion
CVE-2026-232807.8 HIGHaccel/amdxdna: Prevent ubuf size overflow
CVE-2026-232887.8 HIGHaccel/amdxdna: Fix out-of-bounds memset in command slot handling
CVE-2026-233647.4 HIGHksmbd: Compare MACs in constant time
CVE-2026-232947.0 HIGHbpf: Fix race in devmap on PREEMPT_RT
CVE-2026-23352x86/efi: defer freeing of boot services memory
CVE-2026-23354x86/fred: Correct speculative safety in fred_extint()

Showing top 20 of 116 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-23385

No comments yet

Leave a comment