CVE-2026-43453
Stack Out-of-Bounds Read in Linux Kernel Netfilter
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux_kernel | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's netfilter component, specifically in the nft_set_pipapo function within pipapo_drop().
The issue is a stack out-of-bounds read caused by accessing one element past the end of a stack-allocated array named rulemap. The function pipapo_drop() calls pipapo_unmap() with an argument derived from rulemap[i + 1].n on every iteration, including the last one where this access goes beyond the array's boundary.
Although pipapo_unmap() returns early in the last iteration without using the out-of-bounds value, the argument is still evaluated before the function executes, causing a genuine out-of-bounds read confirmed by Kernel Address Sanitizer (KASAN).
The fix involves passing 0 instead of rulemap[i + 1].n on the last iteration to prevent reading beyond the allocated stack memory.
How can this vulnerability impact me? :
This vulnerability causes a stack out-of-bounds read in the Linux kernel's netfilter code.
While the description does not specify direct exploitation consequences such as privilege escalation or denial of service, out-of-bounds reads can potentially lead to information disclosure or destabilize the kernel, depending on the context and attacker capabilities.
Therefore, this vulnerability could impact system stability and security by exposing kernel memory contents or causing unexpected behavior.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a stack out-of-bounds read in the Linux kernel's netfilter nft_set_pipapo component, specifically in the pipapo_drop() function. Detection would typically require monitoring kernel logs for KASAN (Kernel Address Sanitizer) reports indicating a stack-out-of-bounds read in nf_tables.
You can check your system logs for messages similar to: "BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables]" which indicate the presence of this issue.
Since this is a kernel-level issue, there are no specific network commands to detect exploitation. Instead, monitoring kernel logs with commands like:
- dmesg | grep -i kasan
- journalctl -k | grep -i kasan
- grep -i 'stack-out-of-bounds' /var/log/kern.log
can help identify if the vulnerability has been triggered.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been fixed by changing the code to pass 0 instead of rulemap[i + 1].n on the last iteration in pipapo_drop(), preventing the out-of-bounds read.
Immediate mitigation steps include:
- Update your Linux kernel to a version that includes the fix for this vulnerability.
- If an immediate kernel update is not possible, consider disabling or restricting the use of nftables features related to pipapo sets until the patch can be applied.
- Monitor kernel logs for any signs of exploitation as a precaution.