Skip to main content

Linux Kernel netfilter CVE-2026-43114

| EUVDEUVD-2026-27637 CRITICAL
Use of Incorrect Operator (CWE-480)
2026-05-06 Linux GHSA-6cwp-88hv-x237
Critical
Disputed · 9.4 Vendor: Linux
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (Linux) PRIMARY
9.4 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
SUSE
CRITICAL
qualitative
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:28 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
9.4 (CRITICAL)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
CRITICAL 9.4

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry

New test case fails unexpectedly when avx2 matching functions are used.

The test first loads a ranomly generated pipapo set with 'ipv4 . port' key, i.e. nft -f foo.

This works. Then, it reloads the set after a flush: (echo flush set t s; cat foo) | nft -f -

This is expected to work, because its the same set after all and it was already loaded once.

But with avx2, this fails: nft reports a clashing element.

The reported clash is of following form:

We successfully re-inserted a . b c . d

Then we try to insert a . d

avx2 finds the already existing a . d, which (due to 'flush set') is marked as invalid in the new generation. It skips the element and moves to next.

Due to incorrect masking, the skip-step finds the next matching element *only considering the first field*,

i.e. we return the already reinserted "a . b", even though the last field is different and the entry should not have been matched.

No such error is reported for the generic c implementation (no avx2) or when the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.

Bisection points to 7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection") but that fix merely uncovers this bug.

Before this commit, the wrong element is returned, but erronously reported as a full, identical duplicate.

The root-cause is too early return in the avx2 match functions. When we process the last field, we should continue to process data until the entire input size has been consumed to make sure no stale bits remain in the map.

AnalysisAI

A logic error in Linux kernel netfilter's AVX2-accelerated nft_set_pipapo matching allows incorrect element matching when flushing and reloading sets with composite keys (e.g., 'ipv4 . port'). The AVX2 code path prematurely returns non-matching entries during multi-field lookups, causing false collision reports when reinserting elements after a set flush. This affects netfilter firewall rule processing on systems with AVX2 CPU support. With CVSS 9.4 (AV:N/AC:L/PR:N/UI:N), the vector suggests critical network-accessible impact, though the description indicates this is a firewall rule management bug rather than a direct remote exploitation path. EPSS score of 0.02% (5th percentile) and no KEV listing suggest low real-world exploitation likelihood. Patches available across stable kernel branches 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0.

Technical ContextAI

The vulnerability resides in the Linux kernel's netfilter subsystem, specifically in the nft_set_pipapo AVX2-optimized lookup functions used for efficient set matching in nftables. Pipapo is a specialized set implementation for fast prefix/range matching using bitmaps. The AVX2 code paths (using Intel Advanced Vector Extensions 2 SIMD instructions) contain an early-return bug when processing multi-field composite keys. During element lookup, when matching the last field of a composite key (e.g., the port in 'ipv4_addr . port'), the AVX2 function fails to consume all input data, leaving stale bits in the match bitmap. This causes the function to return elements that match only on the first field while ignoring mismatches in subsequent fields. The bug becomes observable when flushing a set (marking existing entries invalid for the new generation) and reloading identical elements: expired entries from the previous generation are incorrectly matched due to partial field comparison, triggering false duplicate-element errors. The generic C implementation and AVX2 slow-path fallback are unaffected. Commit 7711f4bb4b36 exposed this latent bug by improving range overlap detection.

RemediationAI

Apply vendor-released kernel patches immediately for affected stable branches: upgrade to Linux 6.6.136+ (for 6.6.x series), 6.12.83+ (6.12.x), 6.18.24+ (6.18.x), 6.19.14+ (6.19.x), or mainline 7.0+. Patches available at https://git.kernel.org/stable/ with specific commits fa4f1f52528c (6.6), 3d53f9aafd46 (6.12), 07de44424bb7 (6.18), 0abbc43f71d9 (6.19), and d3c0037ffe12 (mainline). For systems where immediate patching is not feasible, compensating controls include: disable AVX2 support in kernel build (recompile with CONFIG_AS_AVX2=n) - eliminates performance optimization but prevents buggy code path; avoid nftables pipapo set type for composite keys, use alternative set implementations like hash or rbtree for 'ipv4 . port' mappings - trades lookup performance for correctness; avoid flush-and-reload workflows for nftables sets with composite keys, use atomic ruleset replacement instead. Note that disabling AVX2 impacts performance across multiple kernel subsystems beyond netfilter. See official advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-43114 for additional vendor guidance.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43114 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy