In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: unlink table before deleting it
syzbot reports following UAF: BUG: KASAN: use-after-free in memcmp+0x18f/0x1c0 lib/string.c:955 nlastrcmp+0xf2/0x130 lib/nlattr.c:836 nfttablelookup.part.0+0x1a2/0x460 net/netfilter/nftablesapi.c:570 nfttablelookup net/netfilter/nftablesapi.c:4064 [inline] nftablesgetset+0x1b3/0x860 net/netfilter/nftablesapi.c:4064 nfnetlinkrcvmsg+0x659/0x13f0 net/netfilter/nfnetlink.c:285 netlinkrcvskb+0x153/0x420 net/netlink/afnetlink.c:2504
Problem is that all get operations are lockless, so the commitmutex held by nftrcvnlevent() isn't enough to stop a parallel GET request from doing read-accesses to the table object even after synchronize_rcu().
To avoid this, unlink the table first and store the table objects in on-stack scratch space.