CVE-2026-46319

Source
https://cve.org/CVERecord?id=CVE-2026-46319
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46319.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46319
Downstream
Related
Published
2026-06-09T12:11:12.128Z
Modified
2026-07-10T03:53:52.796421717Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
net/sched: act_ct: Only release RCU read lock after ct_ft
Details

In the Linux kernel, the following vulnerability has been resolved:

net/sched: actct: Only release RCU read lock after ctft

When looking up a flow table in actct in tcfctflowtableget(), rhashtablelookupfast() internally opens and closes an RCU read critical section before returning ctft. The tcfctflowtablecleanupwork() can complete before refcountincnotzero() is invoked on the returned ctft resulting in a UAF on the already freed ctft object. This vulnerability can lead to privilege escalation.

Analysis from zdi-disclosures@trendmicro.com: When initializing actct, tcfctinit() is called, which internally triggers tcfctflowtable_get().

static int tcfctflowtableget(struct net *net, struct tcfctparams *params)

{ struct zoneshtkey key = { .net = net, .zone = params->zone }; struct tcfctflowtable *ctft; int err = -ENOMEM;

            mutex_lock(&zones_mutex);
            ct_ft = rhashtable_lookup_fast(&zones_ht, &key, zones_params); // [1]
            if (ct_ft && refcount_inc_not_zero(&ct_ft->ref)) // [2]
                            goto out_unlock;
            ...

}

static _alwaysinline void *rhashtablelookupfast( struct rhashtable *ht, const void *key, const struct rhashtable_params params) { void *obj;

            rcu_read_lock();
            obj = rhashtable_lookup(ht, key, params);
            rcu_read_unlock();

            return obj;

}

At [1], rhashtablelookupfast() looks up and returns the corresponding ctft from zonesht . The lookup is performed within an RCU read critical section through rcureadlock() / rcureadunlock(), which prevents the object from being freed. However, at the point of function return, rcureadunlock() has already been called, and there is nothing preventing ctft from being freed before reaching refcountincnotzero(&ctft->ref) at [2]. This interval becomes the race window, during which ctft can be freed.

Free Process:

tcfctflowtableput() is executed through the path tcfctcleanup() callrcu() tcfctparamsfreercu() tcfctparamsfree() tcfctflowtableput().

static void tcfctflowtableput(struct tcfctflowtable *ctft) { if (refcountdecandtest(&ctft->ref)) { rhashtableremovefast(&zonesht, &ctft->node, zonesparams); INITRCUWORK(&ctft->rwork, tcfctflowtablecleanupwork); // [3] queuercuwork(actctwq, &ctft->rwork); } }

At [3], tcfctflowtablecleanup_work() is scheduled as RCU work

static void tcfctflowtablecleanupwork(struct workstruct *work)

{ struct tcfctflowtable *ctft; struct flow_block *block;

            ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table,
                                                            rwork);
            nf_flow_table_free(&ct_ft->nf_ft);
            block = &ct_ft->nf_ft.flow_block;
            down_write(&ct_ft->nf_ft.flow_block_lock);
            WARN_ON(!list_empty(&block->cb_list));
            up_write(&ct_ft->nf_ft.flow_block_lock);
            kfree(ct_ft); // [4]

            module_put(THIS_MODULE);

}

tcfctflowtablecleanupwork() frees ctft at [4]. When this function executes between [1] and [2], UAF occurs.

This race condition has a very short race window, making it generally difficult to trigger. Therefore, to trigger the vulnerability an msleep(100) was inserted after[1]

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46319.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
138470a9b2cc2e26e6018300394afc3858a54e6a
Fixed
ece578ca61e572df96cfc80456357ebfae0b4b9e
Fixed
a2e0c045c87aa252eb61412e67dd91f2c2b19f81
Fixed
67c9ecc9f2575273ed1323e312881fc98ac83d6d
Fixed
f23424a0ddadb494d4bd57056a7ca703312d3a7b
Fixed
17dfb67cb399b660105d9a8c6100851c0d0cdc70
Fixed
4c727c6967a41b37efe0f26332ca9ec5b74785a3
Fixed
3e20e1b3058e0b94638e7b931c138e840e266724
Fixed
f462dca0c8415bf0058d0ffa476354c4476d0f09

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46319.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.7.0
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46319.json"