{"schema_version":"1.0","report_url":"https://aretiq.ai/research/vul260518-cve-2026-23412-linux-kernel-netfilter-bpf-hook-use-after-free-lpe/","date":"2026-05-18","last_modified":"2026-05-18","cve":"CVE-2026-23412","title":"CVE-2026-23412 — Linux Kernel Netfilter BPF Hook Use-After-Free LPE","vulnerability_name":"Linux Kernel Netfilter BPF Hook Use-After-Free LPE","vendor":"Linux","product":"Linux Kernel","component":"Netfilter BPF Link","binary":"nf_bpf_link.c","impact":"EoP","cwe":["CWE-416","CWE-362"],"severity":{"cvss_v4_score":7.1,"cvss_v4_vector":"CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H/E:P"},"attack_vector":"Local","patch_kb":null,"poc_verified":true,"poc_download":"https://aretiq.ai/downloads/","tags":["cve-2026-23412","netfilter","bpf","use-after-free","rcu","lpe","kernel"],"summary":"1. Overview A use-after-free vulnerability exists in the Linux kernel’s BPF netfilter link implementation. The bpf_nf_link_lops operations structure uses synchronous deallocation (.dealloc) instead of RCU-deferred freeing (.dealloc_deferred), allowing a use-after-free when concurrent hook enumeration via nfnetlink races with BPF link destruction. The UAF on the kmalloc-192 slab cache is exploitable for local privilege escalation through heap spray and function pointer hijacking. The Linux kernel community addressed this vulnerability in kernel version 7.0-rc5.\n"}