Skip to main content

Linux Kernel EUVDEUVD-2026-28613

| CVE-2026-43329 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-45q4-4828-537r
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:24 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 15:02 EUVD
CVE Published
May 08, 2026 - 14:16 nvd
HIGH 7.8
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: flowtable: strictly check for maximum number of actions

The maximum number of flowtable hardware offload actions in IPv6 is:

  • ethernet mangling (4 payload actions, 2 for each ethernet address)
  • SNAT (4 payload actions)
  • DNAT (4 payload actions)
  • Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing)

for QinQ.

  • Redirect (1 action)

Which makes 17, while the maximum is 16. But act_ct supports for tunnels actions too. Note that payload action operates at 32-bit word level, so mangling an IPv6 address takes 4 payload actions.

Update flow_action_entry_next() calls to check for the maximum number of supported actions.

While at it, rise the maximum number of actions per flow from 16 to 24 so this works fine with IPv6 setups.

AnalysisAI

Buffer overflow in Linux kernel netfilter flowtable hardware offload allows local authenticated users to achieve high confidentiality, integrity, and availability impact via IPv6 flowtable configurations. The vulnerability stems from an off-by-one error where IPv6 setups require 17 actions but the hardcoded limit was 16, enabling memory corruption when complex IPv6 flows with SNAT, DNAT, VLAN manipulation, and tunneling are offloaded to hardware. EPSS exploitation probability is low (0.02%, 7th percentile), and vendor patches are available across multiple stable kernel branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). No public exploit code or CISA KEV listing identified at time of analysis.

Technical ContextAI

The netfilter flowtable subsystem in the Linux kernel provides hardware offload capabilities for connection tracking and NAT operations. Hardware offload translates kernel flow rules into device-specific actions executed by network interface cards. The vulnerability exists in the flow_action_entry_next() function within the flowtable code path, where an insufficient bounds check allows exceeding the NF_FLOW_RULE_ACTION_MAX limit. IPv6 flows are particularly affected because address manipulation operates at 32-bit word granularity, consuming 4 payload actions per IPv6 address modification. Complex scenarios involving Ethernet header rewriting (4 actions), SNAT (4 actions), DNAT (4 actions), QinQ double VLAN tagging (4 actions), and redirect (1 action) can reach 17 actions. The vulnerability was introduced in commit c29f74e0df7a (kernel 5.5) and fixed by raising the action limit from 16 to 24 and adding strict validation in flow_action_entry_next(). CPE applicability spans linux:linux_kernel versions from 5.5 through affected stable branches prior to the patched releases.

RemediationAI

Upgrade to patched Linux kernel versions: 5.15.203 or later for 5.15.x branch, 6.1.168+ for 6.1.x, 6.6.134+ for 6.6.x, 6.12.81+ for 6.12.x, 6.18.22+ for 6.18.x, 6.19.12+ for 6.19.x, or 7.0+ for mainline. Patch commits are available from https://git.kernel.org/stable with branch-specific fixes. If immediate patching is not feasible, disable netfilter flowtable hardware offload by removing flow_offload rules from nftables configuration or disabling the nf_flow_table_hw module (modprobe -r nf_flow_table_hw), though this will degrade network performance on high-throughput systems by forcing software-based flow processing. Alternatively, simplify IPv6 flowtable configurations to avoid simultaneous use of SNAT, DNAT, double VLAN tagging, and tunneling in the same flow rule, reducing action count below 16 - this workaround may require significant network architecture changes and is only viable if QinQ or complex NAT scenarios are non-essential. Monitor kernel logs for flowtable offload errors which may indicate exploitation attempts or misconfigurations triggering the vulnerability.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28613 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy