Skip to main content

Linux Kernel CVE-2026-43088

| EUVDEUVD-2026-27586 MEDIUM
2026-05-06 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
3.3 LOW

Local attack requiring authenticated user; information disclosure of 4-byte uninitialized kernel memory leak; no integrity or availability impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
3.3 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 19, 2026 - 16:04 vuln.today
CVSS changed
Jun 19, 2026 - 13:52 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: af_key: zero aligned sockaddr tail in PF_KEY exports

PF_KEY export paths use pfkey_sockaddr_size() when reserving sockaddr payload space, so IPv6 addresses occupy 32 bytes on the wire. However, pfkey_sockaddr_fill() initializes only the first 28 bytes of struct sockaddr_in6, leaving the final 4 aligned bytes uninitialized.

Not every PF_KEY message is affected. The state and policy dump builders already zero the whole message buffer before filling the sockaddr payloads. Keep the fix to the export paths that still append aligned sockaddr payloads with plain skb_put():

  • SADB_ACQUIRE
  • SADB_X_NAT_T_NEW_MAPPING
  • SADB_X_MIGRATE

Fix those paths by clearing only the aligned sockaddr tail after pfkey_sockaddr_fill().

AnalysisAI

Linux kernel PF_KEY IPSEC key management exports leak uninitialized kernel memory via SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, and SADB_X_MIGRATE messages, allowing local authenticated users to disclose sensitive kernel memory. EPSS score of 0.02% (percentile 5%) indicates minimal real-world exploitation despite patch availability. The 4-byte information leak per message could enable ASLR bypass and kernel address disclosure attacks.

Technical ContextAI

The vulnerability exists in the Linux kernel's PF_KEY (AF_KEY socket family) implementation used for IPsec key management. The pfkey_sockaddr_fill() function initializes only 28 bytes of struct sockaddr_in6 (32 bytes when aligned), leaving 4 padding bytes uninitialized. PF_KEY export paths allocate space via pfkey_sockaddr_size() which accounts for the full 32-byte alignment, but initialization is incomplete, exposing kernel stack memory. Three message types (SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, SADB_X_MIGRATE) append aligned sockaddr payloads using plain skb_put(), leaking the uninitialized tail. State and policy dump builders already zero entire message buffers, so they are unaffected. The root cause is the mismatch between reserved size and initialized size when exporting sockaddr structures to userspace IPsec applications.

RemediationAI

Update Linux kernel to patched version 6.19.14 or later, or 7.0 or later. Alternatively apply upstream commit fixes available at git.kernel.org/stable: 2e74f974359b5382ecbe8536abbb5b837eb6c724, 426c355742f02cf743b347d9d7dbdc1bfbfa31ef, 11cbf294bac623bd57296f231199193087f57b4a, edd446ee7cd3d02cac246168063d5b3e9ea68460, 3c19cb8a84ef709d57943bd6664cf31cb91ba6ec. The fix zeros the aligned sockaddr tail (final 4 bytes) after pfkey_sockaddr_fill(). No workaround prevents memory leak without disabling IPsec entirely. For systems unable to patch immediately, restrict AF_KEY socket access via SELinux or AppArmor policies, noting this may break legitimate IPsec applications. See https://nvd.nist.gov/vuln/detail/CVE-2026-43088 and https://vuldb.com/vuln/361324.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.145 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.132 Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.162 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.132 Affected
Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.176 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.125 Affected
Image SLES-Azure-3P Image SLES-Azure-Basic Image SLES-Azure-Standard Image SLES-BYOS-Azure Image SLES-BYOS-EC2 Image SLES-BYOS-GCE Image SLES-EC2 Image SLES-EC2-ECS Image SLES-GCE Image SLES-Hardened-BYOS-Azure Image SLES-Hardened-BYOS-EC2 Image SLES-Hardened-BYOS-GCE Image SLES-SAPCAL-Azure Affected
Image SLES12-SP5-Azure-BYOS Image SLES12-SP5-EC2-BYOS Image SLES12-SP5-EC2-ECS-On-Demand Image SLES12-SP5-EC2-On-Demand Image SLES12-SP5-GCE-BYOS Image SLES12-SP5-GCE-On-Demand Affected

Share

CVE-2026-43088 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy