Skip to main content

Linux Kernel CVE-2026-43026

| EUVDEUVD-2026-26625 MEDIUM
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 08, 2026 - 18:22 vuln.today
CVSS changed
May 08, 2026 - 18:22 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:33 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26625
CVE Published
May 01, 2026 - 14:15 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:15 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent

ctnetlink_alloc_expect() allocates expectations from a non-zeroing slab cache via nf_ct_expect_alloc(). When CTA_EXPECT_NAT is not present in the netlink message, saved_addr and saved_proto are never initialized. Stale data from a previous slab occupant can then be dumped to userspace by ctnetlink_exp_dump_expect(), which checks these fields to decide whether to emit CTA_EXPECT_NAT.

The safe sibling nf_ct_expect_init(), used by the packet path, explicitly zeroes these fields.

Zero saved_addr, saved_proto and dir in the else branch, guarded by IS_ENABLED(CONFIG_NF_NAT) since these fields only exist when NAT is enabled.

Confirmed by priming the expect slab with NAT-bearing expectations, freeing them, creating a new expectation without CTA_EXPECT_NAT, and observing that the ctnetlink dump emits a spurious CTA_EXPECT_NAT containing stale data from the prior allocation.

AnalysisAI

Information disclosure in the Linux kernel netfilter ctnetlink module allows local authenticated users to read stale NAT configuration data from kernel memory via a crafted netlink message. When ctnetlink_alloc_expect() allocates connection tracking expectations without initializing NAT fields, uninitialized memory containing sensitive data from previous slab allocations is exposed to userspace during expectation dumps. This requires local access and low-privileged authentication (PR:L) but carries a high availability impact due to potential memory disclosure vectors.

Technical ContextAI

The vulnerability exists in the netfilter connection tracking (conntrack) subsystem's netlink interface. The ctnetlink_alloc_expect() function allocates expectation objects from a non-zeroing slab cache (nf_ct_expect_alloc()) that retains data from previous allocations. When a user sends a CTA_EXPECT_NAT absent netlink message to create a connection tracking expectation, the saved_addr, saved_proto, and dir fields are left uninitialized with stale kernel memory. The ctnetlink_exp_dump_expect() function later inspects these fields to decide whether to emit CTA_EXPECT_NAT attribute, inadvertently leaking the uninitialized content. The safe codepath used for packet processing (nf_ct_expect_init()) explicitly zeroes these fields, establishing the correct initialization pattern. The vulnerability is guarded by CONFIG_NF_NAT kernel configuration, as the affected fields only exist when NAT support is enabled.

RemediationAI

Update the Linux kernel to the latest stable version for your branch: 5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, or 7.0 and later. The upstream fix is available via git commits referenced at https://git.kernel.org/stable/c/a5a89db6981a1ddf2314bf50cb49db5a3146185f and related commits. For systems unable to immediately update, restrict netlink access to trusted users only by limiting CAP_NET_ADMIN capabilities and using SELinux or AppArmor policies to prevent unprivileged processes from sending CTA_EXPECT_NAT netlink messages to the netfilter subsystem. Disable connection tracking NAT module (CONFIG_NF_NAT) at compile time if NAT functionality is not required, which eliminates the vulnerable code path entirely. Note that disabling NAT removes network address translation functionality and is only suitable for systems without that requirement.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43026 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy