Skip to main content

Linux Kernel CVE-2026-43025

| EUVDEUVD-2026-26624 HIGH
Out-of-bounds Read (CWE-125)
2026-05-01 Linux
7.3
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:35 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.3 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26624
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 7.3

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: ignore explicit helper on new expectations

Use the existing master conntrack helper, anything else is not really supported and it just makes validation more complicated, so just ignore what helper userspace suggests for this expectation.

This was uncovered when validating CTA_EXPECT_CLASS via different helper provided by userspace than the existing master conntrack helper:

BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0 Read of size 4 at addr ffff8880043fe408 by task poc/102 Call Trace: nf_ct_expect_related_report+0x2479/0x27c0 ctnetlink_create_expect+0x22b/0x3b0 ctnetlink_new_expect+0x4bd/0x5c0 nfnetlink_rcv_msg+0x67a/0x950 netlink_rcv_skb+0x120/0x350

Allowing to read kernel memory bytes off the expectation boundary.

CTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace via netlink dump.

AnalysisAI

A buffer overflow in the Linux kernel netfilter ctnetlink subsystem allows authenticated local attackers to read arbitrary kernel memory. The vulnerability arises when userspace provides a helper name for a new expectation that differs from the master conntrack helper, causing the kernel to read 4 bytes beyond the expectation boundary. Vendor-released patches are available across multiple stable kernel branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). Despite a CVSS base score of 7.3, the EPSS score is exceptionally low (0.02%, 7th percentile), indicating minimal observed exploitation attempts, and the vulnerability is not listed in CISA KEV, suggesting no confirmed active exploitation.

Technical ContextAI

This vulnerability affects the netfilter connection tracking (conntrack) subsystem, specifically the ctnetlink module that provides a netlink interface for manipulating connection tracking from userspace. The issue occurs in the expectation handling code path when processing CTA_EXPECT_CLASS attributes via nfnetlink messages. Connection tracking helpers in netfilter assist with complex protocols that require special handling (like FTP, SIP, IRC), and expectations are pre-allocated conntrack entries for anticipated connections. The vulnerability stems from insufficient validation when userspace specifies a helper name via CTA_EXPECT_HELP_NAME that conflicts with the master conntrack's existing helper, causing nf_ct_expect_related_report to perform out-of-bounds memory access. The affected code path reads 4 bytes past the allocated expectation structure boundary, resulting in a KASAN-detected slab-out-of-bounds condition. The CPE data indicates broad impact across Linux kernel versions starting from 3.12, with the vulnerable code introduced in commit bd0779370588386e4a67ba5d0b176cfded8e6a53.

RemediationAI

Upgrade to patched Linux kernel versions: 6.1.168+ for the 6.1.x LTS branch, 6.6.134+ for 6.6.x LTS, 6.12.81+ for 6.12.x stable, 6.18.22+ for 6.18.x stable, 6.19.12+ for 6.19.x stable, or 7.0+ for mainline kernels. Upstream fix commits are available at https://git.kernel.org/stable/c/917b61fa2042f11e2af4c428e43f08199586633a (mainline) and corresponding stable branch commits (187b6ec5229e, 21a04c31db40, 2ea0f35f235f, 0f6c33697ccf, e135f8e8212c). The patch modifies ctnetlink_create_expect to ignore userspace-supplied helper names for new expectations and always use the master conntrack's helper, simplifying validation and preventing the out-of-bounds read. If immediate kernel upgrade is not feasible, restrict CAP_NET_ADMIN capability to only highly trusted administrative accounts, though this is standard practice and provides limited additional protection since the capability is already privileged. As a compensating control, disable the nf_conntrack_netlink module (rmmod nf_conntrack_netlink) if userspace conntrack manipulation is not required, though this will break tools like conntrack-tools and certain firewall management utilities that depend on netlink-based connection tracking control. Monitor for abnormal netlink socket activity from unprivileged or semi-privileged users, though detection may be difficult given legitimate administrative use cases.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43025 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy