CVE-2026-53269
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
A race condition was found in the Linux kernel's synproxy mechanism when registering netfilter hooks concurrently from iptables or nftables. Lack of synchronization may lead to incorrect reference counting and potential system instability.
Risk Assessment
The organization risks system instability or network disruptions if multiple administrators or automated tools manage SYNPROXY rules simultaneously.
Recommendation
Immediately update the Linux kernel to a version that includes the fix introducing a mutex to serialize access to the synproxy hook reference counter.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: netfilter: synproxy: add mutex to guard hook reference counting As the synproxy infrastructure register netfilter hooks on-demand when a user adds the first iptables target or nftables expression, if done concurrently they can race each other. Introduce a mutex to serialize the refcount control blocks access from both frontends. While a per namespace mutex might be more efficient, it is not needed for target/expression like SYNPROXY.

