CVE-2026-45897
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
In the Linux kernel, a vulnerability was found in the netfilter nft_counter module that allowed concurrent counter reset operations without proper synchronization. The lack of locking caused two parallel dumps and resets to read the same counter values and then subtract them twice, leading to underflow.
Risk Assessment
An attacker could exploit this flaw to manipulate network traffic counter data, potentially causing incorrect reporting or bypassing bandwidth limits.
Recommendation
Immediately update the Linux kernel to a version containing the fix that adds a global spinlock for counter fetch and reset operations.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_counter: serialize reset with spinlock Add a global static spinlock to serialize counter fetch+reset operations, preventing concurrent dump-and-reset from underrunning values. The lock is taken before fetching the total so that two parallel resets cannot both read the same counter values and then both subtract them. A global lock is used for simplicity since resets are infrequent. If this becomes a bottleneck, it can be replaced with a per-net lock later.

