CVE Catalog

CVE-2026-43024

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile - higher than 2% of all known CVEs

Summary

A vulnerability was found in the Linux kernel's netfilter nf_tables subsystem, allowing an immediate NF_QUEUE verdict. This verdict is not used by userspace nftables tools, and the ARP family lacks queue support, potentially leading to unexpected behavior.

Risk Assessment

The risk involves potential disruption of packet filtering in the ARP family, which could allow an attacker to bypass rules or cause a system crash.

Recommendation

It is recommended to immediately update the Linux kernel to a version containing the fix that rejects immediate NF_QUEUE verdicts in nf_tables.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: reject immediate NF_QUEUE verdict nft_queue is always used from userspace nftables to deliver the NF_QUEUE verdict. Immediately emitting an NF_QUEUE verdict is never used by the userspace nft tools, so reject immediate NF_QUEUE verdicts. The arp family does not provide queue support, but such an immediate verdict is still reachable. Globally reject NF_QUEUE immediate verdicts to address this issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS