CVE-2026-43329
Modified Modified - Updated After Analysis

Flowtable Action Limit Exceeded in Linux Kernel

Vulnerability report for CVE-2026-43329, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-08

Last updated on: 2026-07-07

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: strictly check for maximum number of actions The maximum number of flowtable hardware offload actions in IPv6 is: * ethernet mangling (4 payload actions, 2 for each ethernet address) * SNAT (4 payload actions) * DNAT (4 payload actions) * Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing) for QinQ. * Redirect (1 action) Which makes 17, while the maximum is 16. But act_ct supports for tunnels actions too. Note that payload action operates at 32-bit word level, so mangling an IPv6 address takes 4 payload actions. Update flow_action_entry_next() calls to check for the maximum number of supported actions. While at it, rise the maximum number of actions per flow from 16 to 24 so this works fine with IPv6 setups.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-08
Last Modified
2026-07-07
Generated
2026-07-09
AI Q&A
2026-05-08
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 5.5 (inc) to 5.15.203 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability relates to the Linux kernel's netfilter flowtable feature, specifically in how it handles the maximum number of hardware offload actions for IPv6 traffic.

The issue arises because the total number of possible actions (such as ethernet mangling, SNAT, DNAT, double VLAN, and redirect) can add up to 17, which exceeds the previously enforced maximum of 16 actions per flow.

Additionally, the system supports actions for tunnels, which further complicates the count. Payload actions operate at a 32-bit word level, meaning some operations like mangling an IPv6 address consume multiple payload actions.

The vulnerability was addressed by updating the function that checks the number of actions to strictly enforce the maximum supported actions and by increasing the maximum allowed actions per flow from 16 to 24 to better accommodate IPv6 setups.

Impact Analysis

If unaddressed, this vulnerability could lead to improper handling of network flow actions in IPv6 environments, potentially causing unexpected behavior or failures in network packet processing.

Specifically, exceeding the maximum number of allowed actions without proper checks might result in incorrect flowtable configurations, which could degrade network performance or cause security mechanisms relying on these actions to malfunction.

By fixing this issue and increasing the maximum number of actions, the Linux kernel ensures more reliable and secure handling of complex IPv6 network flows.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43329. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart