{"id":"CVE-2026-23272","summary":"netfilter: nf_tables: unconditionally bump set-\u003enelems before insertion","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unconditionally bump set-\u003enelems before insertion\n\nIn case that the set is full, a new element gets published then removed\nwithout waiting for the RCU grace period, while RCU reader can be\nwalking over it already.\n\nTo address this issue, add the element transaction even if set is full,\nbut toggle the set_full flag to report -ENFILE so the abort path safely\nunwinds the set to its previous state.\n\nAs for element updates, decrement set-\u003enelems to restore it.\n\nA simpler fix is to call synchronize_rcu() in the error path.\nHowever, with a large batch adding elements to already maxed-out set,\nthis could cause noticeable slowdown of such batches.","modified":"2026-04-25T07:59:23.883657964Z","published":"2026-03-20T08:08:52.946Z","related":["SUSE-SU-2026:1342-1","SUSE-SU-2026:1557-1","SUSE-SU-2026:1563-1","SUSE-SU-2026:1573-1","SUSE-SU-2026:1574-1","SUSE-SU-2026:1575-1","SUSE-SU-2026:1606-1","SUSE-SU-2026:21114-1","SUSE-SU-2026:21123-1","SUSE-SU-2026:21237-1","SUSE-SU-2026:21255-1","openSUSE-SU-2026:20572-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23272.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/6826131c7674329335ca25df2550163eb8a1fd0c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ccb8c8f3c1127cf34d18c737309897c68046bf21"},{"type":"WEB","url":"https://git.kernel.org/stable/c/def602e498a4f951da95c95b1b8ce8ae68aa733a"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23272.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23272"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"35d0ac9070ef619e3bf44324375878a1c540387b"},{"fixed":"6826131c7674329335ca25df2550163eb8a1fd0c"},{"fixed":"ccb8c8f3c1127cf34d18c737309897c68046bf21"},{"fixed":"def602e498a4f951da95c95b1b8ce8ae68aa733a"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"fefdd79403e89b0c673965343b92e2e01e2713a8"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23272.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.10.0"},{"fixed":"6.18.17"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23272.json"}}],"schema_version":"1.7.5"}