CVE-2026-43060
Netfilter nft_ct Module Packet Drop on Removal
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
| linux_kernel | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's netfilter component, specifically in the nft_ct module. It involves packets that are queued in nfqueue holding references to certain kernel objects such as conntrack zone templates, timeout policies, and helpers.
Because these objects can be removed while packets still reference them, stale references may occur. To address this, the fix drops pending enqueued packets when the related objects are removed, preventing the use of invalid references.
How can this vulnerability impact me? :
If this vulnerability is not addressed, packets in the nfqueue might reference kernel objects that have been removed, leading to stale references. This can cause unexpected behavior or instability in the kernel, potentially resulting in crashes or security issues.
By dropping these packets upon removal of the referenced objects, the vulnerability prevents such stale references, improving system stability and security.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been resolved in the Linux kernel by dropping pending enqueued packets on removal to avoid stale references. Therefore, the immediate mitigation step is to update your Linux kernel to a version that includes this fix.