CVE-2026-43025
Awaiting Analysis Awaiting Analysis - Queue

Buffer Overflow in Linux Kernel Netfilter

Vulnerability report for CVE-2026-43025, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-01

Last updated on: 2026-05-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: ignore explicit helper on new expectations Use the existing master conntrack helper, anything else is not really supported and it just makes validation more complicated, so just ignore what helper userspace suggests for this expectation. This was uncovered when validating CTA_EXPECT_CLASS via different helper provided by userspace than the existing master conntrack helper: BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0 Read of size 4 at addr ffff8880043fe408 by task poc/102 Call Trace: nf_ct_expect_related_report+0x2479/0x27c0 ctnetlink_create_expect+0x22b/0x3b0 ctnetlink_new_expect+0x4bd/0x5c0 nfnetlink_rcv_msg+0x67a/0x950 netlink_rcv_skb+0x120/0x350 Allowing to read kernel memory bytes off the expectation boundary. CTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace via netlink dump.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-01
Last Modified
2026-05-08
Generated
2026-07-06
AI Q&A
2026-05-01
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 3.12 (inc) to 6.1.168 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfilter component, specifically in the ctnetlink module. It involves improper handling of explicit helpers on new expectations. Instead of using the existing master conntrack helper, the kernel was accepting other helpers suggested by userspace, which are not properly supported and complicate validation.

This flaw was discovered when validating CTA_EXPECT_CLASS with a helper provided by userspace that differed from the master conntrack helper, leading to a kernel memory read out-of-bounds error (KASAN slab-out-of-bounds). This means the kernel could read memory beyond the expected boundary, potentially causing instability or information leakage.

Impact Analysis

The vulnerability allows the Linux kernel to read kernel memory bytes beyond the intended boundary due to improper validation of helpers in netfilter's conntrack expectations.

This out-of-bounds read could lead to kernel instability, crashes, or potentially expose sensitive kernel memory contents to an attacker, which may be leveraged for further attacks or information disclosure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43025. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart