CVE-2026-43084
Use-After-Free in Linux Kernel nfnetlink_queue
Publication date: 2026-05-06
Last updated on: 2026-05-20
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 6.12.75 (inc) to 6.12.83 (exc) |
| linux | linux_kernel | From 6.18.14 (inc) to 6.18.24 (exc) |
| linux | linux_kernel | From 6.19.4 (inc) to 6.19.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's netfilter nfnetlink_queue component. It arises because a global hash table is shared among all queues, which can lead to a crash due to a use-after-free bug. Specifically, the structure nf_queue_entry is freed using kfree, but a parallel CPU might still access this freed entry when traversing the list, causing a kernel crash.
The issue occurs in the function nfqnl_recv_verdict, and the problem is related to memory management and concurrency. An alternative fix involves using kfree_rcu() to free nf_queue_entry, but this would increase memory pressure because allocations and frees happen for each skb.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to crash due to a use-after-free error in the netfilter nfnetlink_queue subsystem. Such crashes can lead to system instability, denial of service, and potential disruption of network packet processing.