Linux Kernel Netfilter nft_ct UAF in timeout object destroy
CVE-2026-31665 Published on April 24, 2026
netfilter: nft_ct: fix use-after-free in timeout object destroy
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_ct: fix use-after-free in timeout object destroy
nft_ct_timeout_obj_destroy() frees the timeout object with kfree()
immediately after nf_ct_untimeout(), without waiting for an RCU grace
period. Concurrent packet processing on other CPUs may still hold
RCU-protected references to the timeout object obtained via
rcu_dereference() in nf_ct_timeout_data().
Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer
freeing until after an RCU grace period, matching the approach already
used in nfnetlink_cttimeout.c.
KASAN report:
BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0
Read of size 4 at addr ffff8881035fe19c by task exploit/80
Call Trace:
nf_conntrack_tcp_packet+0x1381/0x29d0
nf_conntrack_in+0x612/0x8b0
nf_hook_slow+0x70/0x100
__ip_local_out+0x1b2/0x210
tcp_sendmsg_locked+0x722/0x1580
__sys_sendto+0x2d8/0x320
Allocated by task 75:
nft_ct_timeout_obj_init+0xf6/0x290
nft_obj_init+0x107/0x1b0
nf_tables_newobj+0x680/0x9c0
nfnetlink_rcv_batch+0xc29/0xe00
Freed by task 26:
nft_obj_destroy+0x3f/0xa0
nf_tables_trans_destroy_work+0x51c/0x5c0
process_one_work+0x2c4/0x5a0
Products Associated with CVE-2026-31665
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 7e0b2b57f01d183e1c84114f1f2287737358d748 and below c458fc1c278a65ad5381083121d39a479973ebed is affected.
- Version 7e0b2b57f01d183e1c84114f1f2287737358d748 and below c581e5c8f2b59158f62efe61c1a3dc36189081ff is affected.
- Version 7e0b2b57f01d183e1c84114f1f2287737358d748 and below f16fe84879a5280f05ebbcea593a189ba0f3e79a is affected.
- Version 7e0b2b57f01d183e1c84114f1f2287737358d748 and below 070abdf1b04325b21a20a2a0c39a2208af107275 is affected.
- Version 7e0b2b57f01d183e1c84114f1f2287737358d748 and below aa7cfa16f98f8ec3e6d47c34e1a8c1ae4b9b8b77 is affected.
- Version 7e0b2b57f01d183e1c84114f1f2287737358d748 and below b42aca3660dc2627a29a38131597ca610dc451f9 is affected.
- Version 7e0b2b57f01d183e1c84114f1f2287737358d748 and below d0983b48c10d1509fd795c155f8b1e832e1369ff is affected.
- Version 7e0b2b57f01d183e1c84114f1f2287737358d748 and below f8dca15a1b190787bbd03285304b569631160eda is affected.
- Version 4.19 is affected.
- Before 4.19 is unaffected.
- Version 5.10.253, <= 5.10.* is unaffected.
- Version 5.15.203, <= 5.15.* is unaffected.
- Version 6.1.169, <= 6.1.* is unaffected.
- Version 6.6.135, <= 6.6.* is unaffected.
- Version 6.12.82, <= 6.12.* is unaffected.
- Version 6.18.23, <= 6.18.* is unaffected.
- Version 6.19.13, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.