CVE-2026-43026

MEDIUM EPSS 2.4%
Published May 1, 20262mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published May 1, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent ctnetlink_alloc_expect() allocates expectations from a non-zeroing slab cache via nf_ct_expect_alloc(). When CTA_EXPECT_NAT is not present in the netlink message, saved_addr and saved_proto are never initialized. Stale data from a previous slab occupant can then be dumped to userspace by ctnetlink_exp_dump_expect(), which checks these fields to decide whether to emit CTA_EXPECT_NAT. The safe sibling nf_ct_expect_init(), used by the packet path, explicitly zeroes these fields. Zero saved_addr, saved_proto and dir in the else branch, guarded by IS_ENABLED(CONFIG_NF_NAT) since these fields only exist when NAT is enabled. Confirmed by priming the expect slab with NAT-bearing expectations, freeing them, creating a new expectation without CTA_EXPECT_NAT, and observing that the ctnetlink dump emits a spurious CTA_EXPECT_NAT containing stale data from the prior allocation.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 13

VendorProductVersionRange
linuxlinux_kernel*≥3.4  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.168
linuxlinux_kernel*≥6.2  –  <6.6.134
linuxlinux_kernel*≥6.7  –  <6.12.81
linuxlinux_kernel*≥6.13  –  <6.18.22
linuxlinux_kernel*≥6.19  –  <6.19.12
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/1c2ebdeff8d088a2e47ae25d7b38447249adace2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2898080c054ea4d6ddfaaf21bbedbc229a9a8376
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/35177c6877134a21315f37d57a5577846225623e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/929f7a9a7aad9404a5867216c3f8738232355b38
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a5a89db6981a1ddf2314bf50cb49db5a3146185f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a64b7bf84b4d5ea54218c5d374ec87fff9000f43
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/bff0f4f06f12d6d9bc565a3e1378abd4f6f5ce36
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fd002ff2ea030cbfb0188a11b3c60ce7f84485f4
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/1c2ebdeff8d088a2e47ae25d7b38447249adace2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2898080c054ea4d6ddfaaf21bbedbc229a9a8376
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/35177c6877134a21315f37d57a5577846225623e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/929f7a9a7aad9404a5867216c3f8738232355b38
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a5a89db6981a1ddf2314bf50cb49db5a3146185f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a64b7bf84b4d5ea54218c5d374ec87fff9000f43
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/bff0f4f06f12d6d9bc565a3e1378abd4f6f5ce36
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fd002ff2ea030cbfb0188a11b3c60ce7f84485f4
    Patch