DEBIAN-CVE-2026-23231

In the Linux kernel, the following vulnerability has been resolved:  netfilter: nftables: fix use-after-free in nftablesaddchain()  nftablesaddchain() publishes the chain to table->chains via listaddtailrcu() (in nftchainadd()) before registering hooks. If nftablesregisterhook() then fails, the error path calls nftchaindel() (listdelrcu()) followed by nftableschaindestroy() with no RCU grace period in between.  This creates two use-after-free conditions:   1) Control-plane: nftablesdumpchains() traverses table->chains     under rcureadlock(). A concurrent dump can still be walking     the chain when the error path frees it.   2) Packet path: for NFPROTOINET, nfregisternethook() briefly     installs the IPv4 hook before IPv6 registration fails.  Packets     entering nftdochain() via the transient IPv4 hook can still be     dereferencing chain->blobgenX when the error path frees the     chain.  Add synchronizercu() between nftchaindel() and the chain destroy so that all RCU readers -- both dump threads and in-flight packet evaluation -- have finished before the chain is freed.