ACK: [SRU][J/N/Q][PATCH 0/1] CVE-2026-23278

Manuel Diewald manuel.diewald at canonical.com
Mon May 4 14:36:45 UTC 2026 

On Thu, Apr 23, 2026 at 11:11:40AM -0700, Tim Whisonant wrote:
> SRU Justification:
> 
> [Impact]
> 
> netfilter: nf_tables: always walk all pending catchall elements
> 
> During transaction processing we might have more than one catchall element:
> 1 live catchall element and 1 pending element that is coming as part of the
> new batch.
> 
> If the map holding the catchall elements is also going away, its
> required to toggle all catchall elements and not just the first viable
> candidate.
> 
> Otherwise, we get:
>  WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404
>  RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]
>  [..]
>  __nft_set_elem_destroy+0x106/0x380 [nf_tables]
>  nf_tables_abort_release+0x348/0x8d0 [nf_tables]
>  nf_tables_abort+0xcf2/0x3ac0 [nf_tables]
>  nfnetlink_rcv_batch+0x9c9/0x20e0 [..]
> 
> [Fix]
> 
> Questing: applied Noble patch
> Noble:    cherry picked from upstream
> Jammy:    backported from upstream
> Focal:    not affected
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
> 
> [Test Plan]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> The change affects netfilter's nftables catchall set objects
> code responsible for activating and deactivating these catchall
> elements. Failures might manifest as incorrectly deactivated
> or activated catchall elements.
> 
> Florian Westphal (1):
>   netfilter: nf_tables: always walk all pending catchall elements
> 
>  net/netfilter/nf_tables_api.c | 2 --
>  1 file changed, 2 deletions(-)
> 
> -- 
> 2.43.0
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Manuel Diewald <manuel.diewald at canonical.com>

-- 
 Manuel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260504/05e47be5/attachment.sig>

More information about the kernel-team mailing list