HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46324Published Modified CNA Linux

CVE-2026-46324: netfilter: nf_tables: use list_del_rcu for netlink hooks

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use list_del_rcu for netlink hooks nft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks need to use list_del_rcu(), this list can be walked by concurrent dumpers. Add a new helper and use it consistently.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free race condition exists in the Linux kernel's netfilter nf_tables subsystem. The flaw is reachable locally by a low-privileged user and stems from nft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks using list_del instead of list_del_rcu, allowing concurrent RCU readers (such as netlink dumpers) to walk a list entry that has already been freed. Successful exploitation gives an attacker full read, write, and crash capability over the affected kernel. Patched-image rebuilds at the fix commits targeting the 4.20 and 5.5 stable lines are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-46324 is available across every HarborGuard environment; the CVE is ingested from upstream kernel security feeds within minutes of publication and matched against all customer images, including custom-built images that bundle an affected kernel version.

Available
Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH (v3.1) and is capable of weighting that score against each environment's compliance policy to surface it at the correct priority; routing to the appropriate team inbox within each customer organization is handled automatically based on policy configuration.

Available
Patch

A patched-image rebuild pinned to the fix commits (0bd93ce4f3c35e845532184331d7917d7e562c80 and 0f33e8ad6ac563ae2233dd7f75884e0ee010521d) or the 4.20 and 5.5 release tags becomes available on HarborGuard for any image found running an affected kernel version. For customers who opt into auto-remediation, HarborGuard runs a regression test suite against the rebuilt image and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the service is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to trigger the vulnerable code path; no administrative credentials are needed.

  • Victim interactionNot required

    Exploitation is fully attacker-driven; no action from another user or administrator is required.

  • Attack complexityDetail

    The exploit is reliable and condition-free once local access exists; no race-window tuning or memory-layout knowledge beyond the RCU race itself is required.

Blast Radius

  • A successful attacker reads arbitrary kernel memory, including stored credentials, session tokens, and sensitive process data.
  • The attacker writes to kernel memory, allowing privilege escalation to root or modification of security-policy structures such as SELinux or AppArmor state.
  • The attacker crashes the kernel entirely, taking down all containers and workloads on the affected node.
  • Any container sharing the host kernel is exposed; a breakout from a restricted container is achievable once kernel write primitives are obtained.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of ingestion for any image whose kernel package version falls within the affected range. Where compliance policy permits, a rebuilt image based on the patched commits is made available immediately, and customers with auto-remediation enabled receive a regression-tested rebuild plus an automated pull request opened against affected workloads (median time to merged PR for HIGH-severity issues is around 90 minutes). For environments where a kernel upgrade cannot be applied immediately, compensating controls include restricting unprivileged user namespaces via kernel parameters (kernel.unprivileged_userns_clone=0 where supported), applying network-policy isolation to limit lateral movement from any compromised container, and auditing which workloads load nf_tables modules to reduce unnecessary exposure until the patch is merged.

See how HarborGuard automates this

Fix available

00bd93ce4f3c35e845532184331d7917d7e562c800f33e8ad6ac563ae2233dd7f75884e0ee010521d4.205.55.115.165.185.196.18.337.0.107.1-rc2f3224ee463f8f6f6ced7dcdf6081add4f8128527
Affected packages
  • Linux / Linux
    < 0bd93ce4f3c35e845532184331d7917d7e562c80 (from f9a43007d3f7ba76d5e7f9421094f00f2ef202f8) · < 0f33e8ad6ac563ae2233dd7f75884e0ee010521d (from f9a43007d3f7ba76d5e7f9421094f00f2ef202f8) · < f3224ee463f8f6f6ced7dcdf6081add4f8128527 (from f9a43007d3f7ba76d5e7f9421094f00f2ef202f8) · c73955a09408e7374d9abfd0e78ce3de9cda0635 · b09e6ccf0d12f9356e8e3508d3e3dce126298538 · 3fac8ce48fa9fd61ee9056d3ed48b2edefca8b82
  • Linux / Linux
    5.19
    Fixed in 0, 6.18.33, 7.0.10, 7.1-rc2
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References