High

Use-after-free in Linux kernel netfilter nft_set_pipapo garbage collection

IdentifiersCVE-2026-23351CWE-416· Use After Free

CVE-2026-23351 is a use-after-free vulnerability in the Linux kernel netfilter subsystem, specifically in the nftables pipapo set backend (nft_set_pipapo). According to the provided kernel fix description, the flaw occurs during garbage collection of expired elements. Under a large number of expired elements, commit-time garbage collection can run for an extended period in a non-preemptible context. During this process, expired elements may remain visible through the live copy of the data structure to both the packet-processing path and userspace dump operations. The issue arises because elements could be queued for freeing before the commit phase has progressed far enough to swap clone and live pointers, allowing readers to observe freed elements. The fix splits garbage collection into distinct unlink and reclaim phases to ensure elements are first detached from visibility before reclamation.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to a local denial of service through soft lockups and RCU stall conditions, as explicitly noted in the provided description. Because the core flaw is a use-after-free in kernel memory handling, it also creates the potential for memory corruption and possibly further exploitation depending on kernel build, heap state, and reachable attack primitives, but the provided content specifically confirms local denial of service.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting untrusted local access to systems that permit nftables or netfilter rule manipulation, and limit the ability to create or trigger large numbers of expired pipapo set elements. Minimize use of affected nftables pipapo set configurations where feasible until patched. Because the issue is in kernel-space object lifetime handling, mitigation is limited and patching is the primary corrective action.

Remediation

Patch, then assume compromise.

Apply the Linux kernel update that resolves CVE-2026-23351 by changing nft_set_pipapo garbage collection to separate unlink and reclaim phases. The fix ensures expired elements are not reclaimed until they are no longer reachable via the live data structure and readers cannot observe freed objects. Deploy the vendor-supplied patched kernel for affected distributions and downstream builds.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

google security research pull requestsNews

Apr 27, 2026

kernelctf: CVE-2026-23351_cos by 11X0r · Pull Request #371 · google/security-research · GitHub

A use-after-free vulnerability in nft_set_pipapo garbage collection, discussed with an exploit technique involving nft_immediate_eval out-of-bounds destination register write to bypass stack canaries on ChromeOS kernel build cos-121-18867.381.30.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-23351

NVD

nvd.nist.gov/vuln/detail/CVE-2026-23351

MITRE CWE · CWE-416

Use After Free

Patch

git.kernel.org/stable/c/16f3595c0441d87dfa005c47d8f95be213afaa9e

Patch

git.kernel.org/stable/c/500a50a301ce962b019ab95053ac70264fec2c21

Patch

git.kernel.org/stable/c/65ca51b9fb85477ab92a04295aed34b38f7c062e

Patch

git.kernel.org/stable/c/7864c667aed01a58b87ca518a631322cd0ac34c0

Patch

git.kernel.org/stable/c/9df95785d3d8302f7c066050117b04cd3c2048c2

Patch

git.kernel.org/stable/c/aff13667708dfa0dce136b8efd81baa9fa6ef261

Patch

git.kernel.org/stable/c/c0f1f85097ac2b6e7d750fe4d05807985cd3fd3a

Patch

git.kernel.org/stable/c/c12d570d71920903a1a0468b7d13b085203d0c93