CVE-2026-43451
Analyzed Analyzed - Analysis Complete
Memory Leak in Linux Kernel Netfilter

Publication date: 2026-05-08

Last updated on: 2026-05-21

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue entry from the queue data structures, taking ownership of the entry. For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN present but NFQA_VLAN_TCI missing), the function returns immediately without freeing the dequeued entry or its sk_buff. This leaks the nf_queue_entry, its associated sk_buff, and all held references (net_device refcounts, struct net refcount). Repeated triggering exhausts kernel memory. Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict on the error path, consistent with other error handling in this file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-21
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43451
EUVD
EUVD-2026-28757
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.19 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.9 (exc)
linux linux_kernel From 4.7 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability has been fixed in the Linux kernel by correcting the error handling in the netfilter nfnetlink_queue code. To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Specifically, ensure your system is running a kernel version released after 2026-05-08 that contains the patch for the nfnetlink_queue entry leak in the bridge verdict error path.

Executive Summary

This vulnerability exists in the Linux kernel's netfilter component, specifically in the nfnetlink_queue subsystem. When processing certain network packets related to bridging (PF_BRIDGE packets), an error in parsing VLAN attributes causes the function to return early without properly freeing allocated resources. This results in a memory leak of queue entries and associated network buffers, which also hold references to network devices and structures.

Impact Analysis

The vulnerability causes a memory leak in the kernel by not freeing certain network queue entries and their associated resources when an error occurs. Repeatedly triggering this condition can exhaust kernel memory, potentially leading to degraded system performance, instability, or crashes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43451. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart