Skip to main content

Linux Kernel CVE-2026-43116

| EUVDEUVD-2026-27641 HIGH
Race Condition (CWE-362)
2026-05-06 Linux
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:28 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: ensure safe access to master conntrack

Holding reference on the expectation is not sufficient, the master conntrack object can just go away, making exp->master invalid.

To access exp->master safely:

  • Grab the nf_conntrack_expect_lock, this gets serialized with

clean_from_lists() which also holds this lock when the master conntrack goes away.

  • Hold reference on master conntrack via nf_conntrack_find_get().

Not so easy since the master tuple to look up for the master conntrack is not available in the existing problematic paths.

This patch goes for extending the nf_conntrack_expect_lock section to address this issue for simplicity, in the cases that are described below this is just slightly extending the lock section.

The add expectation command already holds a reference to the master conntrack from ctnetlink_create_expect().

However, the delete expectation command needs to grab the spinlock before looking up for the expectation. Expand the existing spinlock section to address this to cover the expectation lookup. Note that, the nf_ct_expect_iterate_net() calls already grabs the spinlock while iterating over the expectation table, which is correct.

The get expectation command needs to grab the spinlock to ensure master conntrack does not go away. This also expands the existing spinlock section to cover the expectation lookup too. I needed to move the netlink skb allocation out of the spinlock to keep it GFP_KERNEL.

For the expectation events, the IPEXP_DESTROY event is already delivered under the spinlock, just move the delivery of IPEXP_NEW under the spinlock too because the master conntrack event cache is reached through exp->master.

While at it, add lockdep notations to help identify what codepaths need to grab the spinlock.

AnalysisAI

Use-after-free in Linux kernel netfilter ctnetlink allows local authenticated attackers with low privileges to achieve code execution, privilege escalation, or denial of service. The vulnerability stems from insufficient protection when accessing master conntrack objects through expectations - holding a reference on the expectation alone does not prevent the master conntrack from being freed, creating a window where exp->master points to freed memory. Patched in stable kernel versions 6.18.24, 6.19.14, and mainline 7.0. EPSS score of 0.02% (4th percentile) indicates low probability of widespread exploitation, and no public exploit or CISA KEV listing exists at time of analysis, suggesting this remains a lower-priority item despite the 7.8 CVSS score.

Technical ContextAI

This is a race condition in the Linux kernel's netfilter connection tracking subsystem, specifically in the ctnetlink interface that exposes conntrack functionality to userspace via Netlink. Connection tracking expectations (used for protocols like FTP that spawn related connections) maintain references to master conntrack structures. The vulnerability occurs because holding a reference count on the expectation object (nf_conntrack_expect) does not prevent the underlying master conntrack object from being deallocated by clean_from_lists(). When the master is freed while still referenced through exp->master, subsequent access creates a use-after-free condition. The fix extends the critical section protected by nf_conntrack_expect_lock to serialize access with the cleanup path, ensuring that master conntrack validity checks and accesses occur atomically. This affects ctnetlink commands for adding, deleting, and querying expectations, as well as expectation event delivery (IPEXP_NEW and IPEXP_DESTROY). The affected code paths are in net/netfilter/nf_conntrack_netlink.c, present since the initial Git import (commit 1da177e4c3f4), indicating this is a long-standing design issue rather than a recent regression.

RemediationAI

Update to patched kernel versions: 6.18.24 or later in the 6.18.x series, 6.19.14 or later in the 6.19.x series, or 7.0 stable release. Patches available from kernel.org git repositories at https://git.kernel.org/stable/c/f338ced0473849c9f6ed0b77ca99f1aab5826787 (mainline), https://git.kernel.org/stable/c/497f99b26fffdc5635706d1b4811f1ed8ee21a5b (6.18.x), and https://git.kernel.org/stable/c/bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5 (6.19.x). For systems where immediate kernel updates require extensive testing or reboot windows are constrained, compensating controls include restricting CAP_NET_ADMIN capability to only essential system services (removes the ability for unprivileged users to interact with ctnetlink), disabling conntrack expectations if not required by your network protocols (achievable via iptables/nftables ruleset modifications to avoid helper modules like nf_conntrack_ftp), or implementing mandatory access control policies (SELinux, AppArmor) to limit netlink socket access to the NETLINK_NETFILTER family. Note that disabling connection tracking entirely breaks stateful firewalling, so this is only viable for specialized deployments. Kernel live-patching solutions (kpatch, kGraft, Ksplice) may provide hotfix options without reboots for enterprise distributions.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43116 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy