APPLIED: [SRU][J/N/Q][PATCH 0/1] CVE-2026-23278

Edoardo Canepa edoardo.canepa at canonical.com
Fri May 8 14:12:32 UTC 2026 

Applied to J/N/Q:master-next. Thanks.

On 4/23/26 20:11, Tim Whisonant wrote:
> SRU Justification:
>
> [Impact]
>
> netfilter: nf_tables: always walk all pending catchall elements
>
> During transaction processing we might have more than one catchall element:
> 1 live catchall element and 1 pending element that is coming as part of the
> new batch.
>
> If the map holding the catchall elements is also going away, its
> required to toggle all catchall elements and not just the first viable
> candidate.
>
> Otherwise, we get:
>   WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404
>   RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]
>   [..]
>   __nft_set_elem_destroy+0x106/0x380 [nf_tables]
>   nf_tables_abort_release+0x348/0x8d0 [nf_tables]
>   nf_tables_abort+0xcf2/0x3ac0 [nf_tables]
>   nfnetlink_rcv_batch+0x9c9/0x20e0 [..]
>
> [Fix]
>
> Questing: applied Noble patch
> Noble:    cherry picked from upstream
> Jammy:    backported from upstream
> Focal:    not affected
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects netfilter's nftables catchall set objects
> code responsible for activating and deactivating these catchall
> elements. Failures might manifest as incorrectly deactivated
> or activated catchall elements.
>
> Florian Westphal (1):
>    netfilter: nf_tables: always walk all pending catchall elements
>
>   net/netfilter/nf_tables_api.c | 2 --
>   1 file changed, 2 deletions(-)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x20F88172E14F6784.asc
Type: application/pgp-keys
Size: 3167 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260508/43b337cd/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260508/43b337cd/attachment.sig>

More information about the kernel-team mailing list