Skip to main content

Linux Kernel CVE-2026-43453

| EUVDEUVD-2026-28759 HIGH
Out-of-bounds Read (CWE-125)
2026-05-08 Linux GHSA-hc7j-44jc-q764
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 21, 2026 - 17:08 vuln.today
CVSS changed
May 21, 2026 - 17:07 NVD
7.1 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()

pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the to_offset argument on every iteration, including the last one where i m->field_count - 1. This reads one element past the end of the stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS] with NFT_PIPAPO_MAX_FIELDS 16).

Although pipapo_unmap() returns early when is_last is true without using the to_offset value, the argument is evaluated at the call site before the function body executes, making this a genuine out-of-bounds stack read confirmed by KASAN:

BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables] Read of size 4 at addr ffff8000810e71a4

This frame has 1 object: [32, 160) 'rulemap'

The buggy address is at offset 164 -- exactly 4 bytes past the end of the rulemap array.

Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid the out-of-bounds read.

AnalysisAI

Stack out-of-bounds read in the Linux kernel's netfilter nft_set_pipapo subsystem allows local low-privileged attackers to read 4 bytes past the end of a stack-allocated rulemap array via pipapo_drop(). The flaw was confirmed by KASAN and affects kernels from 5.6 onward until the fixed stable releases. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 7th percentile), but the CVSS 7.1 score reflects the potential for kernel memory disclosure and availability impact.

Technical ContextAI

The vulnerability resides in nft_set_pipapo, the netfilter 'PIle PAcket POlicies' set backend that implements efficient multi-field packet matching for nftables. The function pipapo_drop() iterates over the rulemap array (sized by NFT_PIPAPO_MAX_FIELDS == 16) and passes rulemap[i + 1].n to pipapo_unmap() on every iteration, including the final iteration where i equals m->field_count - 1. Although pipapo_unmap() short-circuits when is_last is true, C semantics require the argument to be evaluated at the call site before function entry, producing a genuine stack out-of-bounds read of 4 bytes at offset 164 beyond the rulemap object. This is a classic CWE-125 (Out-of-bounds Read) issue, and the fix replaces the out-of-bounds index with a literal 0 on the last iteration.

RemediationAI

Vendor-released patch is available - upgrade to one of the fixed stable kernels: 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or mainline 7.0. The upstream commits are published at git.kernel.org/stable/c/ (see references including 1957e793196e, 57fb87ca095d, 60c1d18781e3, 0a55d62cdb62, dfbdac719198, e047f6fbb975, 324b749aa5b2, and d6d8cd2db236) and additional context is at https://nvd.nist.gov/vuln/detail/CVE-2026-43453. If patching is not immediately possible, the most effective compensating control is to prevent untrusted local users from creating or manipulating nftables sets - disable unprivileged user namespaces (sysctl kernel.unprivileged_userns_clone=0 on Debian/Ubuntu kernels, or user.max_user_namespaces=0) which removes the common path to CAP_NET_ADMIN for ordinary users; note this breaks rootless containers, sandboxes (Chrome, Flatpak), and some CI runners. Alternatively, restrict nftables tooling via seccomp/AppArmor/SELinux policies to confine which processes can issue NFNL_SUBSYS_NFTABLES netlink messages, accepting the operational overhead of policy maintenance.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43453 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy