CVE-2026-43453

HIGH EPSS 2.6%
Published May 8, 20261mo ago · Modified Jun 17, 20261w ago
7.1 CVSS 3.1
High
Find Similar
Published May 8, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the to_offset argument on every iteration, including the last one where i == m->field_count - 1. This reads one element past the end of the stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS] with NFT_PIPAPO_MAX_FIELDS == 16). Although pipapo_unmap() returns early when is_last is true without using the to_offset value, the argument is evaluated at the call site before the function body executes, making this a genuine out-of-bounds stack read confirmed by KASAN: BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables] Read of size 4 at addr ffff8000810e71a4 This frame has 1 object: [32, 160) 'rulemap' The buggy address is at offset 164 -- exactly 4 bytes past the end of the rulemap array. Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid the out-of-bounds read.

CVSS Details

Base Score
7.1
Exploitability
1.8
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 10

VendorProductVersionRange
linuxlinux_kernel*≥5.6  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.167
linuxlinux_kernel*≥6.2  –  <6.6.130
linuxlinux_kernel*≥6.7  –  <6.12.78
linuxlinux_kernel*≥6.13  –  <6.18.19
linuxlinux_kernel*≥6.19  –  <6.19.9
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/0a55d62cdb628923d8a21724374a70c76ac7d19d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1957e793196e7f8557374fd4eda53abcbb42e1c0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/324b749aa5b2d516ccfab933df9d3f56e7807f5f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/57fb87ca095d5127cd7a27583b8ec43dcf7c9e9e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/60c1d18781e37bfb96290b86510eb01c5fa24d75
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d6d8cd2db236a9dd13dbc2d05843b3445cc964b5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dfbdac719198778b581bc0dd055df2542edb8c62
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e047f6fbb975f685d6c9fcef95b3b7787a79b46d
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0a55d62cdb628923d8a21724374a70c76ac7d19d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1957e793196e7f8557374fd4eda53abcbb42e1c0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/324b749aa5b2d516ccfab933df9d3f56e7807f5f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/57fb87ca095d5127cd7a27583b8ec43dcf7c9e9e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/60c1d18781e37bfb96290b86510eb01c5fa24d75
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d6d8cd2db236a9dd13dbc2d05843b3445cc964b5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dfbdac719198778b581bc0dd055df2542edb8c62
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e047f6fbb975f685d6c9fcef95b3b7787a79b46d
    Patch