kernel: netfilter: nf_tables: release flowtable after rcu grace period on error

A flaw was found in the Linux kernel's netfilter component, specifically within the nftables subsystem. An error in releasing a flowtable after an RCU Read-Copy-Update grace period could lead to a use-after-free vulnerability. This issue could expose the flowtable to the packet path and...

RLSA-2026:21557 Important: kernel security update

The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fixes: kernel: can: j1939: j1939sessionnew: fix skb reference counting CVE-2024-56645 kernel: ima: don't clear IMADIGSIG flag when setting or removing non-IMA xattr CVE-2025-68183 kernel: mm: thp: deny...

kernel security update

An update is available for kernel. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The kernel packages contain the Linux kernel, the core of any Linux operating...

kernel: netfilter: nf_tables: release flowtable after rcu grace period on error

A flaw was found in the Linux kernel's netfilter component, specifically within the nftables subsystem. An error in releasing a flowtable after an RCU Read-Copy-Update grace period could lead to a use-after-free vulnerability. This issue could expose the flowtable to the packet path and...

RockyLinux 9 : kernel (RLSA-2026:21556)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:21556 advisory. kernel: proc: use the same treatment to check proclseek as ones for procreaditer et.al CVE-2025-38653 kernel: ima: don't clear IMADIGSIG flag when setti...

EUVD-2026-32367

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: revert commitmutex usage in reset path It causes circular lock dependency between commitmutex, nfnlsubsysipset and nlkcbmutex when nft reset, ipset list, and iptables-nft with '-m set' rule run at the same...

CVE-2026-45901

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: revert commitmutex usage in reset path It causes circular lock dependency between commitmutex, nfnlsubsysipset and nlkcbmutex when nft reset, ipset list, and iptables-nft with '-m set' rule run at the same...

UBUNTU-CVE-2026-45901

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: revert commitmutex usage in reset path It causes circular lock dependency between commitmutex, nfnlsubsysipset and nlkcbmutex when nft reset, ipset list, and iptables-nft with '-m set' rule run at the same...

CVE-2026-45901 netfilter: nf_tables: revert commit_mutex usage in reset path

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: revert commitmutex usage in reset path It causes circular lock dependency between commitmutex, nfnlsubsysipset and nlkcbmutex when nft reset, ipset list, and iptables-nft with '-m set' rule run at the same...

Linux Distros Unpatched Vulnerability : CVE-2026-45901

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - netfilter: nftables: revert commitmutex usage in reset path It causes circular lock dependency between commitmutex, nfnlsubsysipset and nlkcbmutex when nft rese...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: Do not allow SETID to refer to another table. When performing lookups for sets within the same batch using their IDs, a set from a different table can be utilized. However, when the table is removed, a...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: netfilter: nftables: Unlinking the table before deleting it The syzbot reports the following UAFs: BUG: KASAN: Use-after-free in memcmp+0x18f/0x1c0, lib/string.c:955 nlastrcmp+0xf2/0x130, lib/nlattr.c:836...

Astra Linux - уязвимость в linux, linux-5.10, linux-5.15, linux-6.1

In the Linux kernel, the following vulnerabilities have been resolved: netfilter: nftables: prefer nftchainvalidate nftchainvalidate already performs loop detection, as a cycle would result in a call stack overflow ctx-level = NFTJUMPSTACKSIZE. It also follows maps via -validate callback in...

Astra Linux - уязвимость в linux-5.10, linux

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: A memory leak occurs during the stateful object update process. Stateful objects can be updated from the control plane. The transaction logic allocates a temporary object for this purpose. The -init function ...

Astra Linux - уязвимость в linux-5.10, linux-6.1, linux, linux-5.15

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: Do not skip expired elements during the walk. There is an asymmetry between the commit/abort phase and the preparation phase if the following conditions are met: 1. set is a verdict map “1.2.3.4 : jump foo”. ...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables – A memory leak was fixed in nftablesupdchain. If nftnetdevregisterhooks fails, the memory associated with nftstats is not freed, resulting in a memory leak. This patch fixes this issue by moving nftstatsalloc...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: netfilter: nftables: Fix for duplicate devices in netdev hooks When handling NETDEVREGISTER notifications, duplicate device registrations must be avoided, as the device might have been added by nftnetdevhookalloc during the...

Astra Linux - уязвимость в linux, linux-5.10, linux-5.15, linux-6.1

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: The backend for setting the DEAD bit was changed to use the GC transaction API. The GC transaction API replaces the old and buggy gc API and the busy mark approach. No set elements are removed from async...

kernel: Kernel: Privilege escalation or denial of service in nf_tables via inverted element activity check

A flaw was found in the Linux kernel's nftables component. A logic bug in nftmapcatchallactivate causes an inverted element activity check during the abort path of a failed transaction. This can lead to a use-after-free vulnerability, as catchall verdict elements may still reference a freed chain...

CVE-2026-43454

A flaw was found in the Linux kernel's netfilter nftables component. This vulnerability allows for duplicate device registration when handling network device registration notifications. Such duplicate registrations can lead to unexpected system behavior or instability...