Listen to this Post
How CVE-2026-52970 Works
CVE-2026-52970 is a resource management vulnerability within the Linux kernel’s netfilter subsystem, specifically in the nftables framework’s connection tracking (conntrack) implementation. The flaw resides in the `nft_ct_expect_obj_eval()` function, which is responsible for evaluating expectation objects for connection tracking rules.
When the kernel processes connection tracking expectations, this function properly allocates memory for a new expectation structure. However, it fails to release the associated reference count before returning control flow. The function calls `nf_ct_expect_related()` to create a new expectation object but neglects to call `nf_ct_expect_put(exp)` to decrement the reference counter.
This represents a classic reference counting flaw that violates fundamental kernel memory management principles. Each invocation of `nft_ct_expect_obj_eval()` leaves an allocated resource in an unreleased state, leading to a progressive memory leak.
The vulnerability was introduced in kernel version 5.3 with commit 857b46027d6f91150797295752581b7155b9d0e1. In high-network-traffic environments with frequent connection tracking operations, the accumulation of unreleased expectation objects can lead to memory exhaustion. This resource leak directly impacts the kernel’s ability to efficiently manage connection tracking resources, potentially causing denial-of-service scenarios where new connections cannot be properly tracked.
The fix involves adding `nf_ct_expect_put(exp)` before the function returns, ensuring every expectation allocation is balanced with a corresponding release operation.
DailyCVE Form:
Platform: ……. Linux Kernel
Version: …….. 5.3 through 7.0.9
Vulnerability :…… CWE-772 (Missing Release of Resource)
Severity: ……. Critical (CVSS 7.0)
date: ………. 2026-06-24
Prediction: …… 2026-07-14
What Undercode Say:
Analytics & Technical Deep Dive
The vulnerability resides in net/netfilter/nft_ct.c. The following patch illustrates the fix:
View the vulnerable function git show 857b46027d6f91150797295752581b7155b9d0e1:net/netfilter/nft_ct.c | grep -A 20 "nft_ct_expect_obj_eval" Check if your system is vulnerable (for Debian/Ubuntu) uname -r Vulnerable versions: 5.3.x through 7.0.9 (before fixed versions) Check for the fix commit in your kernel source git log --oneline --grep="nft_ct: fix missing expect put"
Affected and Fixed Versions:
| Kernel Version | Status | Fix Commit |
||||
| 5.3 – 5.10.257 | Affected | – |
| 5.10.258+ | Fixed | cdb9a25dd341 |
| 5.15.209+ | Fixed | 26ab32ec7394 |
| 6.1.175+ | Fixed | 7b96242ceedf |
| 6.6.141+ | Fixed | ecca618e1e33 |
| 6.12.91+ | Fixed | 2aef1b13d5c0 |
| 6.18.33+ | Fixed | 1dced0725e2f |
| 7.0.10+ | Fixed | 84c422cea5a4 |
| 7.1+ | Fixed | 19f94b6fee75 |
Red Hat specific assessment:
- RHEL 6, 7, 8: Not affected
- RHEL 9, 10: Affected
Exploit:
Currently, no public exploit is available for CVE-2026-52970. However, the exploitation is considered easy by security analysts. A local attacker with low privileges could potentially trigger this vulnerability repeatedly to exhaust system memory.
Theoretical exploitation approach:
1. Craft nftables rules that invoke `nft_ct_expect_obj_eval()`
2. Repeatedly trigger connection tracking expectation evaluations
- Each call leaks memory without releasing the expectation reference
- Over time, memory exhaustion leads to system instability or denial of service
Attack vector: Local access required (AV:L) with high attack complexity (AC:H).
Protection:
Immediate Mitigation:
- Upgrade to one of the fixed kernel versions: 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1+
- Apply the patch commit appropriate for your kernel branch
Verification commands:
Check current kernel version uname -r For Debian/Ubuntu, check available updates apt-cache policy linux-image-$(uname -r) For RHEL/CentOS/Fedora rpm -q kernel Verify if the fix is applied (check for the commit in kernel source) git describe --contains cdb9a25dd3416d427e8b2753210f8baf44207577 2>/dev/null || echo "Patch not found in this tree"
Temporary Workarounds (if patching is not immediately possible):
- Restrict local access to the system
- Monitor memory usage patterns for gradual resource consumption
- Implement proper kernel version management and regular update schedules
Impact:
Technical Impact:
- Resource Leak: Each `nft_ct_expect_obj_eval()` call leaks one expectation object
- Memory Exhaustion: Progressive consumption of kernel memory over time
- Denial of Service: System becomes unable to track new connections, leading to network disruption
CVSS Metrics:
- CVSS 3.1 Score: 7.0 (High)
- Vector: `AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H`
– Attack Vector: Local - Attack Complexity: High
- Privileges Required: Low
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CWE Classification: CWE-772 (Missing Release of Resource after Effective Lifetime)
Affected Systems: All Linux distributions running kernel versions 5.3 through 7.0.9, including Ubuntu (focal, jammy, noble), RHEL 9 and 10, and other enterprise distributions.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

