Listen to this Post
In the Linux kernel, a use-after-free vulnerability exists in the netfilter subsystem’s nf_tables chain addition process. The function `nf_tables_addchain()` publishes a new chain to the global `table->chains` list using RCU (list_add_tail_rcu()) before its network hooks are successfully registered. If the subsequent hook registration fails, the error handling path calls `nft_chain_del()` (which performs list_del_rcu()) and immediately frees the chain with nf_tables_chain_destroy(), without waiting for an RCU grace period. This creates two critical race windows. First, a control-plane race where a concurrent `nf_tables_dump_chains()` operation, holding an RCU read lock, may still be traversing the list and accessing the freed chain memory. Second, a data-path race specific to `NFPROTO_INET` families: the IPv4 hook may be temporarily installed even if IPv6 hook registration fails. Packets entering the network path via this transient hook can execute `nft_do_chain()` and dereference the chain’s `blob_gen_X` data after the chain structure has already been freed. The fix introduces a `synchronize_rcu()` call between the list deletion and the object destruction, ensuring all pre-existing RCU readers have completed before the memory is released .
Platform: Linux Kernel
Version: <6.19.6
Vulnerability :Use-after-free
Severity: High
date: 2026-03-04
Prediction: Past
What Undercode Say:
Analytics:
Affected systems run kernel versions prior to 6.19.6 or without the specific backported commit `71e99ee20fc3` . The vulnerability resides in net/netfilter/nf_tables_api.c. It requires the attacker to have the capability to manipulate nftables rules (local access or via netlink). The CVSS v3.1 score is 7.1 (High), with a vector of `AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H` .
Exploit:
Exploitation involves racing a chain addition that forces a hook registration failure (e.g., by causing an IPv6 hook error) against a concurrent chain dump or a packet traversing the partially registered IPv4 hook. This triggers a use-after-free of the `nft_chain` structure, potentially leading to memory corruption for local privilege escalation . No public PoC was referenced in the provided , but similar nf_tables UAF flaws have been weaponized in the past.
Protection:
Apply the official kernel patch that inserts `synchronize_rcu()` after `nft_chain_del()` . Update to a patched kernel version (e.g., 6.19.6 or later for Debian sid) . If patching is delayed, restrict access to nftables by removing execution permissions or unloading the `nf_tables` module (modprobe -r nf_tables), though this will disrupt firewall functionality .
Commands:
Check current kernel version uname -r Verify if nf_tables module is loaded lsmod | grep nf_tables Check dmesg for potential use-after-free crashes sudo dmesg | grep -E "nft_do_chain|nf_tables|UAF|KASAN" Temporarily restrict nftables binary (mitigation) sudo chmod 700 /usr/sbin/nft
Impact:
Successful exploitation can cause kernel memory corruption, leading to system crashes (Denial of Service) or potentially local privilege escalation, allowing an attacker to gain root access on the host . Systems with untrusted local users and nftables enabled are at highest risk.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
