CVE-2026-23392

Call synchronizercu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already registered, exposing this flowtable to packet path and nfnetlinkhook control plane.

This error path is rare, it should only happen by reaching the maximum number hooks or by failing to set up to hardware offload, just call synchronize_rcu().

There is a check for already used device hooks by different flowtable that could result in EEXIST at this late stage. The hook parser can be updated to perform this check earlier to this error path really becomes rarely exercised.

Uncovered by KASAN reported as use-after-free from nfnetlink_hook path when dumping hooks.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23392.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

3b49e2e94e6ebb8b23d0955d9e898254455734f8

Fixed

d2632de96ccb066e0131ad1494241b9c281c60b8

Fixed

adee3436ccd29f1e514c028899e400cbc6d84065

Fixed

7e3955b282eae20d61c75e499c75eade51c20060

Fixed

c8092edb9a11f20f95ccceeb9422b7dd0df337bd

Fixed

e78a2dcc7cfb87b64a631441ca7681492b347ef6

Fixed

d73f4b53aaaea4c95f245e491aa5eeb8a21874ce

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23392.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.16.0

Fixed

6.1.167

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.130

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.78

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.20

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.10

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23392.json"