CVE-2026-43026
Awaiting Analysis Awaiting Analysis - Queue
Memory Corruption in Linux Kernel Netfilter

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent ctnetlink_alloc_expect() allocates expectations from a non-zeroing slab cache via nf_ct_expect_alloc(). When CTA_EXPECT_NAT is not present in the netlink message, saved_addr and saved_proto are never initialized. Stale data from a previous slab occupant can then be dumped to userspace by ctnetlink_exp_dump_expect(), which checks these fields to decide whether to emit CTA_EXPECT_NAT. The safe sibling nf_ct_expect_init(), used by the packet path, explicitly zeroes these fields. Zero saved_addr, saved_proto and dir in the else branch, guarded by IS_ENABLED(CONFIG_NF_NAT) since these fields only exist when NAT is enabled. Confirmed by priming the expect slab with NAT-bearing expectations, freeing them, creating a new expectation without CTA_EXPECT_NAT, and observing that the ctnetlink dump emits a spurious CTA_EXPECT_NAT containing stale data from the prior allocation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-43026
EUVD
EUVD-2026-26625
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's netfilter component, specifically in the ctnetlink module. When a netlink message does not include the CTA_EXPECT_NAT field, certain fields (saved_addr and saved_proto) are not initialized properly because the allocation function uses a slab cache that does not zero out memory. As a result, stale data from previous allocations can be leaked to userspace when these fields are checked and emitted incorrectly.

The issue arises because the function ctnetlink_alloc_expect() allocates memory without zeroing it, unlike the safe sibling function nf_ct_expect_init() which explicitly zeroes these fields. This can cause the system to expose leftover data from prior uses, potentially leaking sensitive information.


How can this vulnerability impact me? :

This vulnerability can lead to the leakage of stale or leftover data from kernel memory to userspace. Since uninitialized fields may contain sensitive information from previous network expectations, an attacker or user with access to the netlink interface could potentially obtain unintended data.

Such leakage could compromise system confidentiality by exposing sensitive network state information, which might be used to infer network configurations or other details that should remain protected.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart