Skip to main content

Linux Kernel CVE-2026-43084

| EUVDEUVD-2026-27578 HIGH
Use After Free (CWE-416)
2026-05-06 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:25 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_queue: make hash table per queue

Sharing a global hash table among all queues is tempting, but it can cause crash:

BUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] [..] nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] nfnetlink_rcv_msg+0x46a/0x930 kmem_cache_alloc_node_noprof+0x11e/0x450

struct nf_queue_entry is freed via kfree, but parallel cpu can still encounter such an nf_queue_entry when walking the list.

Alternative fix is to free the nf_queue_entry via kfree_rcu() instead, but as we have to alloc/free for each skb this will cause more mem pressure.

AnalysisAI

Local privilege escalation in Linux kernel netfilter nfnetlink_queue allows authenticated users with low privileges to execute arbitrary code with high integrity and availability impact via race condition in shared hash table. The vulnerability stems from a use-after-free condition when multiple queues share a global hash table, enabling parallel CPU operations to access freed nf_queue_entry structures. EPSS score is low (0.02%, 5th percentile) indicating minimal observed exploitation activity. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.24, 6.19.14) with upstream commits confirmed.

Technical ContextAI

The nfnetlink_queue subsystem in netfilter provides userspace queueing for packet filtering decisions. Prior to this fix, all queue instances shared a single global hash table for tracking nf_queue_entry structures representing queued packets. When an entry was freed via immediate kfree() on one CPU, concurrent threads on other CPUs could still traverse the hash chain and access the freed memory, creating a classic use-after-free race condition detected by KASAN (Kernel Address Sanitizer). The vulnerability manifests in nfqnl_recv_verdict() when processing verdicts from userspace, where a verdict handler on one core may reference a queue entry that another core has just deallocated. The fix redesigns the architecture to use per-queue hash tables rather than a shared global structure, eliminating the cross-queue race window. This represents a CWE-416 class vulnerability (Use After Free) in kernel memory management, specifically in the netlink-based packet queueing infrastructure used by iptables/nftables userspace integration.

RemediationAI

Upgrade to patched Linux kernel versions: 6.19.14 or later for 6.19.x series, 6.18.24 or later for 6.18.x series, or 6.12.83 or later for 6.12.x LTS series. Upstream fixes available in commits 22730cb96093 (mainline), 936206e3f6ff, 9e5ebef91120, and 41e3652a178c across stable branches as documented at git.kernel.org/stable/c/ references. For systems unable to immediately patch, consider disabling nfnetlink_queue module if not required for firewall operations via 'modprobe -r nfnetlink_queue' and blacklisting in /etc/modprobe.d/. This workaround eliminates the vulnerable code path but breaks userspace packet queueing functionality used by applications like Suricata IPS mode or custom iptables NFQUEUE rules - verify no production firewall rules use NFQUEUE target before applying. Alternatively, restrict CAP_NET_ADMIN capability in container environments to trusted workloads only, reducing the pool of processes capable of triggering the race condition, though this does not eliminate risk from already-privileged local users. Kernel live-patching solutions (kpatch/kGraft) may provide zero-downtime mitigation for supported distributions.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43084 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy