CVE-2026-45897

netfilter: nft_counter: serialize reset with spinlock

Assigner: Linux
Reserved: 13.05.2026 Published: 27.05.2026 Updated: 27.05.2026

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_counter: serialize reset with spinlock

Add a global static spinlock to serialize counter fetch+reset operations, preventing concurrent dump-and-reset from underrunning values.

The lock is taken before fetching the total so that two parallel resets cannot both read the same counter values and then both subtract them.

A global lock is used for simplicity since resets are infrequent. If this becomes a bottleneck, it can be replaced with a per-net lock later.

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from 3cb03edb4de33fd04c4ea55f47397b96a8657c53 to 0cdc6d5a26f2d1f7f15a43526841b679445c32e2 (excl.) affected from 3cb03edb4de33fd04c4ea55f47397b96a8657c53 to 779c60a5190c42689534172f4b49e927c9959e4e (excl.) Version fb1adb05ea87b6149e65a31e511756c4f470d0cd is affected Version f123293db16dcd0cd81b246ae60e6362f0025d0a is affected affected from 6.1.107 to 6.2 (excl.) affected from 6.6.48 to 6.7 (excl.)

Vendor

Linux

Product

Linux

Versions

Default: unaffected

affected from 3cb03edb4de33fd04c4ea55f47397b96a8657c53 to 0cdc6d5a26f2d1f7f15a43526841b679445c32e2 (excl.)
affected from 3cb03edb4de33fd04c4ea55f47397b96a8657c53 to 779c60a5190c42689534172f4b49e927c9959e4e (excl.)
Version fb1adb05ea87b6149e65a31e511756c4f470d0cd is affected
Version f123293db16dcd0cd81b246ae60e6362f0025d0a is affected
affected from 6.1.107 to 6.2 (excl.)
affected from 6.6.48 to 6.7 (excl.)

Vendor	Linux
Product	Linux
Versions	Default: affected Version 6.7 is affected unaffected from 0 to 6.7 (excl.) unaffected from 6.19.4 to 6.19.* (incl.) unaffected from 7.0 to * (incl.)

Vendor

Linux

Product

Linux

Versions

Default: affected

References

CVE-2026-45897 PUBLISHED