{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23274", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.991Z", "datePublished": "2026-03-20T08:08:54.918Z", "dateUpdated": "2026-03-20T08:08:54.918Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-20T08:08:54.918Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels\n\nIDLETIMER revision 0 rules reuse existing timers by label and always call\nmod_timer() on timer->timer.\n\nIf the label was created first by revision 1 with XT_IDLETIMER_ALARM,\nthe object uses alarm timer semantics and timer->timer is never initialized.\nReusing that object from revision 0 causes mod_timer() on an uninitialized\ntimer_list, triggering debugobjects warnings and possible panic when\npanic_on_warn=1.\n\nFix this by rejecting revision 0 rule insertion when an existing timer with\nthe same label is of ALARM type."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/xt_IDLETIMER.c"], "versions": [{"version": "68983a354a655c35d3fb204489d383a2a051fda7", "lessThan": "f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1", "status": "affected", "versionType": "git"}, {"version": "68983a354a655c35d3fb204489d383a2a051fda7", "lessThan": "f228b9ae2a7e84d1153616d8e71c4236cb1f1309", "status": "affected", "versionType": "git"}, {"version": "68983a354a655c35d3fb204489d383a2a051fda7", "lessThan": "329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/xt_IDLETIMER.c"], "versions": [{"version": "5.7", "status": "affected"}, {"version": "0", "lessThan": "5.7", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.19", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.9", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc4", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.18.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.19.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "7.0-rc4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1"}, {"url": "https://git.kernel.org/stable/c/f228b9ae2a7e84d1153616d8e71c4236cb1f1309"}, {"url": "https://git.kernel.org/stable/c/329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf"}], "title": "netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels\n\nIDLETIMER revision 0 rules reuse existing timers by label and always call\nmod_timer() on timer->timer.\n\nIf the label was created first by revision 1 with XT_IDLETIMER_ALARM,\nthe object uses alarm timer semantics and timer->timer is never initialized.\nReusing that object from revision 0 causes mod_timer() on an uninitialized\ntimer_list, triggering debugobjects warnings and possible panic when\npanic_on_warn=1.\n\nFix this by rejecting revision 0 rule insertion when an existing timer with\nthe same label is of ALARM type."}], "id": "CVE-2026-23274", "lastModified": "2026-03-20T09:16:13.077", "metrics": {}, "published": "2026-03-20T09:16:13.077", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f228b9ae2a7e84d1153616d8e71c4236cb1f1309"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-20T09:52:48.507162+00:00", "value": {"mitigation_remediation": ["Update the kernel to a version that includes the patch rejecting revision\u00a00 rule insertion for ALARM\u2011labelled timers, e.g., applying the commit associated with the listed Git references.", "Verify that the kernel version contains the fix by checking for the commit hash r329f0b9b48ee6a or the corresponding patch.", "If an immediate update is not possible, restrict netfilter rule modifications to privileged users only or disable the affected module if it is not required for your environment."], "summary": {"action": "Apply Patch", "impact": "Denial of Service (kernel crash)"}, "threat_synthesis": {"affected_systems": "The flaw resides in the Linux kernel\u2019s netfilter implementation. The CPE indicates all Linux kernel releases (cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*). Because no specific version list is supplied by the CNA, any kernel version that contains the unpatched code is potentially affected. Currently no vendor\u2011specified affected version ranges are available. ", "description_and_impact": "In the Linux kernel\u2019s netfilter XT IDLETIMER module, revision\u00a00 rules incorrectly reuse timer objects that were originally created by revision\u00a01 with the XT_IDLETIMER_ALARM label. Because revision\u00a00 code unconditionally calls mod_timer() on timer->timer, it may operate on an uninitialized timer_list when the same label has already been used for an alarm timer. This results in kernel debugobject warnings and, if the kernel option panic_on_warn=1 is enabled, can trigger a kernel panic. The vulnerability is an instance of Improper Initialization (CWE\u2011665) and can lead to a complete system crash, effectively denying all services on the affected host. ", "risk_and_exploitability": "EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly documented exploit at this time. The bug is local: an attacker must be able to insert or modify netfilter IDLETIMER rules. Under typical privilege assumptions (root or privileged user), the attacker can trigger the flaw and cause a kernel crash. Severity is high due to loss of availability and potential denial of all services on the host. The likely attack vector is local with necessity for privilege to edit firewall rules."}}}}, "created": "2026-03-20T10:36:45.102281+00:00", "updated": "2026-03-20T10:36:45.102308+00:00", "vendors": [], "weaknesses": ["CWE-665"]}