CVE-2026-43088
Undergoing Analysis Undergoing Analysis - In Progress
Memory Corruption in Linux Kernel PF_KEY

Publication date: 2026-05-06

Last updated on: 2026-05-22

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: af_key: zero aligned sockaddr tail in PF_KEY exports PF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr payload space, so IPv6 addresses occupy 32 bytes on the wire. However, `pfkey_sockaddr_fill()` initializes only the first 28 bytes of `struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized. Not every PF_KEY message is affected. The state and policy dump builders already zero the whole message buffer before filling the sockaddr payloads. Keep the fix to the export paths that still append aligned sockaddr payloads with plain `skb_put()`: - `SADB_ACQUIRE` - `SADB_X_NAT_T_NEW_MAPPING` - `SADB_X_MIGRATE` Fix those paths by clearing only the aligned sockaddr tail after `pfkey_sockaddr_fill()`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-22
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43088
EUVD
EUVD-2026-27586
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.14 (exc)
linux linux_kernel From 2.6.12.1 (inc) to 6.12.88 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.30 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is resolved by fixing the export paths in the Linux kernel that append aligned sockaddr payloads with plain skb_put(). Specifically, the fix involves clearing only the aligned sockaddr tail after pfkey_sockaddr_fill() in the affected paths: SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, and SADB_X_MIGRATE.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Executive Summary

This vulnerability exists in the Linux kernel's PF_KEY export paths related to handling sockaddr structures for IPv6 addresses. Specifically, when reserving space for sockaddr payloads, the function pfkey_sockaddr_size() allocates 32 bytes for IPv6 addresses, but the function pfkey_sockaddr_fill() only initializes the first 28 bytes of the sockaddr_in6 structure. This leaves the last 4 bytes uninitialized, which means they contain leftover or random data.

Not all PF_KEY messages are affected; only certain export paths that append aligned sockaddr payloads without zeroing the entire buffer are vulnerable. These include SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, and SADB_X_MIGRATE. The fix involves clearing the uninitialized tail bytes after filling the sockaddr structure to prevent leakage of uninitialized data.

Impact Analysis

The impact of this vulnerability is that uninitialized memory bytes in the sockaddr_in6 structure may be exposed in PF_KEY messages. This could potentially lead to information leakage, where sensitive or random data from kernel memory is unintentionally disclosed to user space or other components interacting with PF_KEY.

Such leakage might be exploited by an attacker to gain insights into kernel memory contents, which could aid in further attacks or compromise system security.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43088. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart