CVE-2026-43085
Heap Leak in Linux Kernel Netfilter nfnetlink_log
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
| linux_kernel | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's netfilter subsystem, specifically in the nfnetlink_log component. When multiple NFLOG messages are batched together, the function __nfulnl_send() appends an NLMSG_DONE terminator message containing a payload of type nfgenmsg. However, this nfgenmsg payload is not properly initialized before being sent.
Because the nlmsg_put() helper function only zeroes the alignment padding after the payload and does not initialize the payload itself, four bytes of leftover kernel heap data remain uninitialized and are leaked to userspace within the NLMSG_DONE message.
The fix involves using nfnl_msg_put() to build the NLMSG_DONE terminator, which properly initializes the nfgenmsg payload using nfnl_fill_hdr(), ensuring no stale kernel data is leaked.
How can this vulnerability impact me? :
This vulnerability can lead to the unintended disclosure of kernel memory contents to userspace. Specifically, four bytes of stale kernel heap data are leaked in the NLMSG_DONE message when multiple NFLOG messages are batched.
Such leakage of kernel memory could potentially expose sensitive information or internal kernel data, which might be leveraged by an attacker to gain further insights into the system or aid in other attacks.