CVE-2026-43060
Undergoing Analysis Undergoing Analysis - In Progress
Netfilter nft_ct Module Packet Drop on Removal

Publication date: 2026-05-05

Last updated on: 2026-05-22

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: drop pending enqueued packets on removal Packets sitting in nfqueue might hold a reference to: - templates that specify the conntrack zone, because a percpu area is used and module removal is possible. - conntrack timeout policies and helper, where object removal leave a stale reference. Since these objects can just go away, drop enqueued packets to avoid stale reference to them. If there is a need for finer grain removal, this logic can be revisited to make selective packet drop upon dependencies.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-22
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43060
EUVD
EUVD-2026-27354
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.20 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.10 (exc)
linux linux_kernel From 4.19 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfilter component, specifically in the nft_ct module. It involves packets that are queued in nfqueue holding references to certain kernel objects such as conntrack zone templates, timeout policies, and helpers.

Because these objects can be removed while packets still reference them, stale references may occur. To address this, the fix drops pending enqueued packets when the related objects are removed, preventing the use of invalid references.

Impact Analysis

If this vulnerability is not addressed, packets in the nfqueue might reference kernel objects that have been removed, leading to stale references. This can cause unexpected behavior or instability in the kernel, potentially resulting in crashes or security issues.

By dropping these packets upon removal of the referenced objects, the vulnerability prevents such stale references, improving system stability and security.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by dropping pending enqueued packets on removal to avoid stale references. Therefore, the immediate mitigation step is to update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43060. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart