CVE Catalog

CVE-2026-45897

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

3th percentile - higher than 3% of all known CVEs

Summary

In the Linux kernel, a vulnerability was found in the netfilter nft_counter module that allowed concurrent counter reset operations without proper synchronization. The lack of locking caused two parallel dumps and resets to read the same counter values and then subtract them twice, leading to underflow.

Risk Assessment

An attacker could exploit this flaw to manipulate network traffic counter data, potentially causing incorrect reporting or bypassing bandwidth limits.

Recommendation

Immediately update the Linux kernel to a version containing the fix that adds a global spinlock for counter fetch and reset operations.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_counter: serialize reset with spinlock Add a global static spinlock to serialize counter fetch+reset operations, preventing concurrent dump-and-reset from underrunning values. The lock is taken before fetching the total so that two parallel resets cannot both read the same counter values and then both subtract them. A global lock is used for simplicity since resets are infrequent. If this becomes a bottleneck, it can be replaced with a per-net lock later.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS