CVE-2026-43114
Awaiting Analysis Awaiting Analysis - Queue
netfilter nft_set_pipapo_avx2 expiry entry mismatch

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry New test case fails unexpectedly when avx2 matching functions are used. The test first loads a ranomly generated pipapo set with 'ipv4 . port' key, i.e. nft -f foo. This works. Then, it reloads the set after a flush: (echo flush set t s; cat foo) | nft -f - This is expected to work, because its the same set after all and it was already loaded once. But with avx2, this fails: nft reports a clashing element. The reported clash is of following form: We successfully re-inserted a . b c . d Then we try to insert a . d avx2 finds the already existing a . d, which (due to 'flush set') is marked as invalid in the new generation. It skips the element and moves to next. Due to incorrect masking, the skip-step finds the next matching element *only considering the first field*, i.e. we return the already reinserted "a . b", even though the last field is different and the entry should not have been matched. No such error is reported for the generic c implementation (no avx2) or when the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback. Bisection points to 7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection") but that fix merely uncovers this bug. Before this commit, the wrong element is returned, but erronously reported as a full, identical duplicate. The root-cause is too early return in the avx2 match functions. When we process the last field, we should continue to process data until the entire input size has been consumed to make sure no stale bits remain in the map.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-06
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43114
EUVD
EUVD-2026-27637
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's netfilter component, specifically in the nft_set_pipapo_avx2 matching functions. When using avx2 instructions, the function incorrectly returns a non-matching entry upon expiry of elements in a set. During a reload of a pipapo set after a flush, the avx2 matching function mistakenly identifies an already reinserted but invalidated element as a clash due to improper masking and an early return in the matching process. This causes the function to skip valid elements and return incorrect matches, which does not happen in the generic implementation or fallback functions.


How can this vulnerability impact me? :

The vulnerability can cause incorrect behavior in netfilter's set matching operations, leading to false detection of clashing elements when reloading sets. This may result in failures or unexpected errors in firewall or packet filtering rules that rely on these sets, potentially disrupting network traffic filtering or security policies.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability relates to the Linux kernel's netfilter nft_set_pipapo_avx2 matching functions, specifically when using avx2 instructions with nft sets involving 'ipv4 . port' keys.

To detect this issue, you can attempt to reproduce the test case described in the vulnerability: first load a randomly generated pipapo set with the command 'nft -f foo', then flush and reload the set using '(echo flush set t s; cat foo) | nft -f -'.

If the vulnerability is present, the reload will fail with nft reporting a clashing element, indicating the avx2 matching function is incorrectly handling entries.

  • Load the set: nft -f foo
  • Flush and reload the set: (echo flush set t s; cat foo) | nft -f -

Observing a clash error during the reload step suggests the presence of the vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by fixing the avx2 matching functions to correctly handle entry expiry and avoid returning non-matching entries.

Immediate mitigation steps include updating your Linux kernel to a version that contains the fix for this issue.

Until the update is applied, avoid using nft sets with avx2 matching functions that involve 'ipv4 . port' keys in scenarios where sets are flushed and reloaded, as this triggers the bug.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart