Skip to main content

Linux Kernel CVE-2026-43060

| EUVDEUVD-2026-27354 HIGH
2026-05-05 Linux GHSA-6c86-hp8g-chh5
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 15:46 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 05, 2026 - 17:01 EUVD
CVE Published
May 05, 2026 - 15:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_ct: drop pending enqueued packets on removal

Packets sitting in nfqueue might hold a reference to:

  • templates that specify the conntrack zone, because a percpu area is

used and module removal is possible.

  • conntrack timeout policies and helper, where object removal leave

a stale reference.

Since these objects can just go away, drop enqueued packets to avoid stale reference to them.

If there is a need for finer grain removal, this logic can be revisited to make selective packet drop upon dependencies.

AnalysisAI

Use-after-free in Linux kernel's netfilter nft_ct subsystem allows local authenticated attackers with low privileges to achieve code execution, privilege escalation, or denial of service. The vulnerability stems from stale references to conntrack zone templates, timeout policies, and helper objects in packets queued to nfqueue when these objects are removed. Exploitation probability is low (EPSS 0.02%, 7th percentile) with no active exploitation confirmed at time of analysis. Vendor-released patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0).

Technical ContextAI

This vulnerability affects the Linux kernel's netfilter subsystem, specifically the nft_ct (nftables connection tracking) module. Netfilter provides packet filtering, NAT, and connection tracking capabilities at the network layer. The nft_ct module implements connection tracking integration for nftables. The issue involves the nfqueue mechanism, which allows userspace programs to make packet filtering decisions. When packets are enqueued in nfqueue, they hold references to kernel objects including conntrack zone templates (stored in percpu memory areas), timeout policies, and helper objects. Because nftables supports dynamic module loading/unloading and runtime object removal, these referenced objects can be deleted while packets still hold pointers to them. The vulnerability exists from commit 7e0b2b57f01d183e1c84114f1f2287737358d748 onwards, affecting kernels 4.19 and later. The percpu storage allocation for zone templates combined with module removal creates a race condition leading to use-after-free when enqueued packets reference deallocated memory. Affected CPEs include generic Linux kernel builds (cpe:2.3:a:linux:linux).

RemediationAI

Upgrade to patched kernel versions: 5.10.253 or later for 5.10.x branch, 5.15.203+ for 5.15.x, 6.1.167+ for 6.1.x LTS, 6.6.130+ for 6.6.x LTS, 6.12.78+ for 6.12.x, 6.18.20+ for 6.18.x, 6.19.10+ for 6.19.x, or kernel 7.0 for mainline. Patch commits available at https://git.kernel.org/stable/ with identifiers ab50302190b3, 36eae0956f65, e68a8db3a054, 3da0b946835f, f29a055e4f59, 77da55dee677, 8a64e7693367, and 6802ff8beceb. For systems unable to immediately patch, implement compensating controls: disable nfqueue functionality if not required by removing nfnetlink_queue module (modprobe -r nfnetlink_queue) which prevents packet queueing to userspace - trade-off is loss of userspace packet filtering capabilities. Restrict nftables configuration changes to root-only by ensuring unprivileged users cannot modify /etc/nftables.conf or execute nft commands, limiting attack surface to already-privileged accounts. Avoid dynamic module unloading in production by setting kernel.modules_disabled=1 sysctl after boot, though this prevents all module operations until reboot. Monitor for unusual nftables rule modifications or nfqueue usage via auditd rules targeting nft command execution and netlink socket activity.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43060 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy