Skip to main content

Linux Kernel CVE-2026-43451

| EUVDEUVD-2026-28757 MEDIUM
Memory Leak (CWE-401)
2026-05-08 Linux GHSA-hx98-q4r6-mgcv
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 21, 2026 - 17:09 vuln.today
CVSS changed
May 21, 2026 - 17:07 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path

nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue entry from the queue data structures, taking ownership of the entry. For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN present but NFQA_VLAN_TCI missing), the function returns immediately without freeing the dequeued entry or its sk_buff.

This leaks the nf_queue_entry, its associated sk_buff, and all held references (net_device refcounts, struct net refcount). Repeated triggering exhausts kernel memory.

Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict on the error path, consistent with other error handling in this file.

AnalysisAI

Repeated memory exhaustion in the Linux kernel's netfilter nfnetlink_queue subsystem allows a local low-privileged attacker to trigger a denial of service by leaking kernel memory on every crafted PF_BRIDGE verdict. The defect in nfqnl_recv_verdict() causes the nf_queue_entry, its sk_buff, and all held net_device and struct net reference counts to never be released when nfqa_parse_bridge() returns an error due to malformed VLAN netlink attributes. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (7th percentile) reflects the constrained local attack path and low exploitation probability.

Technical ContextAI

The vulnerability resides in net/netfilter/nfnetlink_queue.c (CPE: cpe:2.3:a:linux:linux) and is classified as CWE-401 (Missing Release of Memory after Effective Lifetime). The netfilter nfnetlink_queue subsystem allows userspace processes to receive and verdict on network packets via netlink. nfqnl_recv_verdict() calls find_dequeue_entry() to remove a packet entry from the queue, transferring ownership to the caller. For PF_BRIDGE (bridged network layer) packets, it subsequently invokes nfqa_parse_bridge() to extract VLAN attributes. When NFQA_VLAN is present in the netlink message but the required NFQA_VLAN_TCI sub-attribute is absent, nfqa_parse_bridge() returns -EINVAL. The caller returns immediately without invoking nfqnl_reinject() to release the entry, permanently leaking the nf_queue_entry struct, its sk_buff, and all reference-counted kernel objects pinned by the entry. The fix applies nfqnl_reinject() with NF_DROP on this error path, consistent with how other error cases in the same file are handled. The vulnerability was introduced in commit 8d45ff22f1b43249f0cf1baafe0262ca10d1666e, traceable to Linux 4.7.

RemediationAI

The primary fix is to upgrade to a patched Linux kernel version appropriate for the deployed stable branch: 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or mainline 7.0. Upstream fix commits are available at https://git.kernel.org/stable/c/a907bea273b60d3e604ec4e8e1f6c49954805794 and the related commits listed in the CVE references for other stable branches. Distribution maintainers (RHEL, Debian, Ubuntu, SUSE, etc.) should be monitored for backported kernel packages incorporating these fixes. As a compensating control where immediate patching is not feasible, removing NFQUEUE (nfnetlink_queue) rules that apply to PF_BRIDGE traffic will prevent the vulnerable code path from being reached entirely - note this may disable bridge-layer packet inspection functionality that security tools or firewalls depend on. Restricting CAP_NET_ADMIN to trusted processes and avoiding overly permissive user namespaces in container runtimes further reduces the exploitable population without functional impact on most workloads.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43451 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy