CVE-2026-43025
Awaiting Analysis Awaiting Analysis - Queue
Buffer Overflow in Linux Kernel Netfilter

Publication date: 2026-05-01

Last updated on: 2026-05-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: ignore explicit helper on new expectations Use the existing master conntrack helper, anything else is not really supported and it just makes validation more complicated, so just ignore what helper userspace suggests for this expectation. This was uncovered when validating CTA_EXPECT_CLASS via different helper provided by userspace than the existing master conntrack helper: BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0 Read of size 4 at addr ffff8880043fe408 by task poc/102 Call Trace: nf_ct_expect_related_report+0x2479/0x27c0 ctnetlink_create_expect+0x22b/0x3b0 ctnetlink_new_expect+0x4bd/0x5c0 nfnetlink_rcv_msg+0x67a/0x950 netlink_rcv_skb+0x120/0x350 Allowing to read kernel memory bytes off the expectation boundary. CTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace via netlink dump.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-03
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-43025
EUVD
EUVD-2026-26624
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's netfilter component, specifically in the ctnetlink module. It involves improper handling of explicit helpers on new expectations. Instead of using the existing master conntrack helper, the kernel was accepting other helpers suggested by userspace, which are not properly supported and complicate validation.

This flaw was discovered when validating CTA_EXPECT_CLASS with a helper provided by userspace that differed from the master conntrack helper, leading to a kernel memory read out-of-bounds error (KASAN slab-out-of-bounds). This means the kernel could read memory beyond the expected boundary, potentially causing instability or information leakage.


How can this vulnerability impact me? :

The vulnerability allows the Linux kernel to read kernel memory bytes beyond the intended boundary due to improper validation of helpers in netfilter's conntrack expectations.

This out-of-bounds read could lead to kernel instability, crashes, or potentially expose sensitive kernel memory contents to an attacker, which may be leveraged for further attacks or information disclosure.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart