NACK/Cmnt: [SRU][J][PATCH 0/1] CVE-2026-23392

Edoardo Canepa edoardo.canepa at canonical.com
Fri May 8 15:04:10 UTC 2026 

Rejected for the following reasons:

As per previous comment, Jammy patch should be revisited and

resubmitted as V2 to include d472e9853d7 backport

On 4/9/26 00:11, Tim Whisonant wrote:
> SRU Justification:
>
> [Impact]
>
> netfilter: nf_tables: release flowtable after rcu grace period on error
>
> Call synchronize_rcu() after unregistering the hooks from error path,
> since a hook that already refers to this flowtable can be already
> registered, exposing this flowtable to packet path and nfnetlink_hook
> control plane.
>
> This error path is rare, it should only happen by reaching the maximum
> number hooks or by failing to set up to hardware offload, just call
> synchronize_rcu().
>
> There is a check for already used device hooks by different flowtable
> that could result in EEXIST at this late stage. The hook parser can be
> updated to perform this check earlier to this error path really becomes
> rarely exercised.
>
> Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
> when dumping hooks.
>
> [Fix]
>
> Questing: applied Noble patch
> Noble:    cherry picked from upstream
> Jammy:    backported from upstream
> Focal:    sent to Forgejo
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects the nftables fast path code, particularly the
> allocation routine for the flowtable object, to correct a use
> after free in the error handling path. Issues would affect this
> nftables fast path table object handling.
>
> Pablo Neira Ayuso (1):
>    netfilter: nf_tables: release flowtable after rcu grace period on
>      error
>
>   net/netfilter/nf_tables_api.c | 1 +
>   1 file changed, 1 insertion(+)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260508/274bee82/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x20F88172E14F6784.asc
Type: application/pgp-keys
Size: 3167 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260508/274bee82/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260508/274bee82/attachment-0001.sig>

More information about the kernel-team mailing list