CVE Catalog

CVE-2026-52988

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

In the Linux kernel netfilter/nf_tables subsystem, a vulnerability was found due to unsafe publishing of new hooks in the basechain/flowtable list during the commit phase. The lack of splice_list_rcu() can cause a race condition between concurrent netlink dump traversal and ruleset updates.

Risk Assessment

The risk involves a potential race condition between read (netlink dump) and write (ruleset update) operations, which may lead to an inconsistent hook list state, potentially causing data integrity issues or system crashes.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit using splice_list_rcu()). Monitor distributions for the patch and apply it on a priority basis.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: join hook list via splice_list_rcu() in commit phase Publish new hooks in the list into the basechain/flowtable using splice_list_rcu() to ensure netlink dump list traversal via rcu is safe while concurrent ruleset update is going on.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS