Skip to main content

Linux Kernel EUVDEUVD-2026-28756

| CVE-2026-43450 HIGH
Out-of-bounds Read (CWE-125)
2026-05-08 Linux GHSA-4jv3-xpmj-f4vf
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 21, 2026 - 17:08 vuln.today
CVSS changed
May 21, 2026 - 17:07 NVD
7.1 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()

nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label inside the for loop body. When the "last" helper saved in cb->args[1] is deleted between dump rounds, every entry fails the (cur != last) check, so cb->args[1] is never cleared. The for loop finishes with cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back into the loop body bypassing the bounds check, causing an 8-byte out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize].

The 'goto restart' block was meant to re-traverse the current bucket when "last" is no longer found, but it was placed after the for loop instead of inside it. Move the block into the for loop body so that the restart only occurs while cb->args[0] is still within bounds.

BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0 Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131 Call Trace: nfnl_cthelper_dump_table+0x9f/0x1b0 netlink_dump+0x333/0x880 netlink_recvmsg+0x3e2/0x4b0 sock_recvmsg+0xde/0xf0 __sys_recvfrom+0x150/0x200 __x64_sys_recvfrom+0x76/0x90 do_syscall_64+0xc3/0x6e0

Allocated by task 1: __kvmalloc_node_noprof+0x21b/0x700 nf_ct_alloc_hashtable+0x65/0xd0 nf_conntrack_helper_init+0x21/0x60 nf_conntrack_init_start+0x18d/0x300 nf_conntrack_standalone_init+0x12/0xc0

AnalysisAI

Out-of-bounds read in the Linux kernel's netfilter nfnetlink_cthelper subsystem allows a local attacker with CAP_NET_ADMIN to trigger an 8-byte OOB read in nfnl_cthelper_dump_table() by racing helper deletion against a netlink dump operation. The flaw stems from a misplaced 'goto restart' that bypasses the for-loop bounds check when cb->args[0] equals nf_ct_helper_hsize, as detected by KASAN. EPSS is 0.02% and no public exploit identified at time of analysis, though a detailed reproducer call trace exists in the commit message.

Technical ContextAI

The vulnerability resides in net/netfilter/nfnetlink_cthelper.c, part of the Linux kernel's connection tracking helper infrastructure exposed via the nfnetlink interface. Conntrack helpers (ftp, irc, sip, etc.) are stored in a hash table (nf_ct_helper_hash) of size nf_ct_helper_hsize, and userspace can enumerate them via netlink dumps that resume across calls using cb->args[]. The CWE-125 (Out-of-bounds Read) root cause is control-flow: a 'goto restart' label inside a for-loop body is reachable after the loop's bounds check has been bypassed, so when the previously-saved 'last' helper has been deleted between dump rounds, cb->args[1] is never cleared and the restart jumps back into the loop body with cb->args[0] == nf_ct_helper_hsize, dereferencing one entry past the hash table.

RemediationAI

Vendor-released patch: upgrade to Linux stable 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or mainline 7.0 (or the equivalent backport from your distribution's kernel-security feed). The fix relocates the 'goto restart' block inside the for-loop body so the bounds check on cb->args[0] is honored; the relevant commits are listed under https://git.kernel.org/stable/c/ including 6dcee8496d53165b2d8a5909b3050b62ae71fe89 and its stable backports. Until kernels are rebuilt and rebooted, compensating controls are to disable the nfnetlink_cthelper module where unused (rmmod nfnetlink_cthelper and blacklist it in /etc/modprobe.d, which breaks any userspace tool that registers custom conntrack helpers via netlink), restrict CAP_NET_ADMIN by disabling unprivileged user namespaces (sysctl kernel.unprivileged_userns_clone=0 or user.max_user_namespaces=0, which will break rootless containers and some sandboxing), and tighten Seccomp/LSM profiles on container workloads to deny the nfnetlink socket family - each control trades functionality for risk reduction and should be validated against your conntrack-helper usage.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28756 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy