[SRU][J/N/Q][PATCH 0/3] CVE-2026-23272

Ian Whitfield ian.whitfield at canonical.com
Wed May 6 16:33:44 UTC 2026 

[Impact]

netfilter: nf_tables: unconditionally bump set->nelems before insertion

In case that the set is full, a new element gets published then removed
without waiting for the RCU grace period, while RCU reader can be
walking over it already.

To address this issue, add the element transaction even if set is full,
but toggle the set_full flag to report -ENFILE so the abort path safely
unwinds the set to its previous state.

As for element updates, decrement set->nelems to restore it.

A simpler fix is to call synchronize_rcu() in the error path.
However, with a large batch adding elements to already maxed-out set,
this could cause noticeable slowdown of such batches.

[Backport]

Questing applied the fix commit cleanly.

For Noble, the fix commit was modified to drop changes for a missing feature added in
4201f3938914 ("netfilter: nf_tables: set element timeout update support")
and there were context adjustments to work around several other missing changes.

For Jammy, a slightly larger patchset was used to more safely transition the
older kernel tree to accept the fix commit. Specifically, two pre-requisite
commits were added that fix some issues with the way the number of nft set
elements is incremented when an element is added. Some adjustments were made for
context differences in the pre-requisite patches. The fix commit then applied
similarly to in Noble, dropping changes for the missing feature and adjusting
context for several other missing changes.

[Fix]

Resolute: Not affected
Questing: Cherry-pick
Noble: Backport
Jammy: Backport
Focal: PR on Forgejo
Bionic: PR on Forgejo
Xenial: Not affected
Trusty: Not affected

[Test Case]

Compile and boot tested.

[Where problems could occur]

This fix affects those who use netfilter/nftables to route packets. An issue
with this fix would be visible to the user as kernel faults or networking
problems particularly when using sets in an nftables config.

Florian Westphal (1):
  netfilter: nf_tables: always increment set element count

Pablo Neira Ayuso (2):
  netfilter: nf_tables: fix set size with rbtree backend
  netfilter: nf_tables: unconditionally bump set->nelems before
    insertion

 include/net/netfilter/nf_tables.h |  6 +++
 net/netfilter/nf_tables_api.c     | 72 ++++++++++++++++++++++++++-----
 net/netfilter/nft_set_rbtree.c    | 43 ++++++++++++++++++
 3 files changed, 110 insertions(+), 11 deletions(-)

-- 
2.43.0

More information about the kernel-team mailing list