{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "e844a928431fa8f1359d1f4f2cef53d9b446bf52"
            },
            {
              "fixed": "d8cd0efbccc5cfb0a80da744a7da76e1333ab925"
            },
            {
              "fixed": "9821b47f669eb82791fa0b1a6ebaf9aa219bea72"
            },
            {
              "fixed": "bdf2724eefd4455a66863abb025bab8d3aa98c57"
            },
            {
              "fixed": "f04cc86d59906513d2d62183b882966fc0ae0390"
            },
            {
              "fixed": "f025171feef2ac65663d7986f1d5ff0c28d6b2a9"
            },
            {
              "fixed": "04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56"
            },
            {
              "fixed": "cd541f15b60e2257441398cf495d978f816d09f8"
            },
            {
              "fixed": "5cb81eeda909dbb2def209dd10636b51549a3f8a"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.10.0"
            },
            {
              "fixed": "5.10.253"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.11.0"
            },
            {
              "fixed": "5.15.203"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.16.0"
            },
            {
              "fixed": "6.1.167"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.130"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.78"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.20"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23458.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()\n\nctnetlink_dump_exp_ct() stores a conntrack pointer in cb-\u003edata for the\nnetlink dump callback ctnetlink_exp_ct_dump_table(), but drops the\nconntrack reference immediately after netlink_dump_start().  When the\ndump spans multiple rounds, the second recvmsg() triggers the dump\ncallback which dereferences the now-freed conntrack via nfct_help(ct),\nleading to a use-after-free on ct-\u003eext.\n\nThe bug is that the netlink_dump_control has no .start or .done\ncallbacks to manage the conntrack reference across dump rounds.  Other\ndump functions in the same file (e.g. ctnetlink_get_conntrack) properly\nuse .start/.done callbacks for this purpose.\n\nFix this by adding .start and .done callbacks that hold and release the\nconntrack reference for the duration of the dump, and move the\nnfct_help() call after the cb-\u003eargs[0] early-return check in the dump\ncallback to avoid dereferencing ct-\u003eext unnecessarily.\n\n BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0\n Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133\n\n CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY\n Call Trace:\n  \u003cTASK\u003e\n  ctnetlink_exp_ct_dump_table+0x4f/0x2e0\n  netlink_dump+0x333/0x880\n  netlink_recvmsg+0x3e2/0x4b0\n  ? aa_sk_perm+0x184/0x450\n  sock_recvmsg+0xde/0xf0\n\n Allocated by task 133:\n  kmem_cache_alloc_noprof+0x134/0x440\n  __nf_conntrack_alloc+0xa8/0x2b0\n  ctnetlink_create_conntrack+0xa1/0x900\n  ctnetlink_new_conntrack+0x3cf/0x7d0\n  nfnetlink_rcv_msg+0x48e/0x510\n  netlink_rcv_skb+0xc9/0x1f0\n  nfnetlink_rcv+0xdb/0x220\n  netlink_unicast+0x3ec/0x590\n  netlink_sendmsg+0x397/0x690\n  __sys_sendmsg+0xf4/0x180\n\n Freed by task 0:\n  slab_free_after_rcu_debug+0xad/0x1e0\n  rcu_core+0x5c3/0x9c0",
  "id": "CVE-2026-23458",
  "modified": "2026-07-08T05:39:16.666693515Z",
  "published": "2026-04-03T15:15:39.041Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/04c8907ce4e3d3e26c5e1a3e47aa5d17082cbb56"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5cb81eeda909dbb2def209dd10636b51549a3f8a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9821b47f669eb82791fa0b1a6ebaf9aa219bea72"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bdf2724eefd4455a66863abb025bab8d3aa98c57"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cd541f15b60e2257441398cf495d978f816d09f8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d8cd0efbccc5cfb0a80da744a7da76e1333ab925"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f025171feef2ac65663d7986f1d5ff0c28d6b2a9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f04cc86d59906513d2d62183b882966fc0ae0390"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23458.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23458"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()"
}