CVE-2026-43453
Analyzed Analyzed - Analysis Complete
Stack Out-of-Bounds Read in Linux Kernel Netfilter

Publication date: 2026-05-08

Last updated on: 2026-05-21

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the to_offset argument on every iteration, including the last one where i == m->field_count - 1. This reads one element past the end of the stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS] with NFT_PIPAPO_MAX_FIELDS == 16). Although pipapo_unmap() returns early when is_last is true without using the to_offset value, the argument is evaluated at the call site before the function body executes, making this a genuine out-of-bounds stack read confirmed by KASAN: BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables] Read of size 4 at addr ffff8000810e71a4 This frame has 1 object: [32, 160) 'rulemap' The buggy address is at offset 164 -- exactly 4 bytes past the end of the rulemap array. Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid the out-of-bounds read.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-21
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43453
EUVD
EUVD-2026-28759
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.19 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.9 (exc)
linux linux_kernel From 5.6 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfilter component, specifically in the nft_set_pipapo function within pipapo_drop().

The issue is a stack out-of-bounds read caused by accessing one element past the end of a stack-allocated array named rulemap. The function pipapo_drop() calls pipapo_unmap() with an argument derived from rulemap[i + 1].n on every iteration, including the last one where this access goes beyond the array's boundary.

Although pipapo_unmap() returns early in the last iteration without using the out-of-bounds value, the argument is still evaluated before the function executes, causing a genuine out-of-bounds read confirmed by Kernel Address Sanitizer (KASAN).

The fix involves passing 0 instead of rulemap[i + 1].n on the last iteration to prevent reading beyond the allocated stack memory.

Impact Analysis

This vulnerability causes a stack out-of-bounds read in the Linux kernel's netfilter code.

While the description does not specify direct exploitation consequences such as privilege escalation or denial of service, out-of-bounds reads can potentially lead to information disclosure or destabilize the kernel, depending on the context and attacker capabilities.

Therefore, this vulnerability could impact system stability and security by exposing kernel memory contents or causing unexpected behavior.

Detection Guidance

This vulnerability is a stack out-of-bounds read in the Linux kernel's netfilter nft_set_pipapo component, specifically in the pipapo_drop() function. Detection would typically require monitoring kernel logs for KASAN (Kernel Address Sanitizer) reports indicating a stack-out-of-bounds read in nf_tables.

You can check your system logs for messages similar to: "BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables]" which indicate the presence of this issue.

Since this is a kernel-level issue, there are no specific network commands to detect exploitation. Instead, monitoring kernel logs with commands like:

  • dmesg | grep -i kasan
  • journalctl -k | grep -i kasan
  • grep -i 'stack-out-of-bounds' /var/log/kern.log

can help identify if the vulnerability has been triggered.

Mitigation Strategies

The vulnerability has been fixed by changing the code to pass 0 instead of rulemap[i + 1].n on the last iteration in pipapo_drop(), preventing the out-of-bounds read.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability.
  • If an immediate kernel update is not possible, consider disabling or restricting the use of nftables features related to pipapo sets until the patch can be applied.
  • Monitor kernel logs for any signs of exploitation as a precaution.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43453. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart