CVE-2026-23412 — Linux Kernel Netfilter BPF Hook Use-After-Free LPE
1. Overview A use-after-free vulnerability exists in the Linux kernel’s BPF netfilter link implementation. The bpf_nf_link_lops operations structure uses synchronous deallocation (.dealloc) instead of RCU-deferred freeing (.dealloc_deferred), allowing a use-after-free when concurrent hook enumeration via nfnetlink races with BPF link destruction. The UAF on the kmalloc-192 slab cache is exploitable for local privilege escalation through heap spray and function pointer hijacking. The Linux kernel community addressed this vulnerability in kernel version 7.0-rc5. ...