CVE Catalog

CVE-2026-43026

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile - higher than 2% of all known CVEs

Summary

In the Linux kernel, a vulnerability in netfilter ctnetlink causes uninitialized saved_addr and saved_proto fields in expectation structures when CTA_EXPECT_NAT is missing, leaking stale data from previous slab allocations to userspace.

Risk Assessment

The organization risks exposure of sensitive data (e.g., IP addresses, ports) from prior NAT expectations, potentially allowing an attacker with local access to read confidential network information.

Recommendation

Immediately update the Linux kernel to a version that zeroes saved_addr, saved_proto, and dir fields when CTA_EXPECT_NAT is absent.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent ctnetlink_alloc_expect() allocates expectations from a non-zeroing slab cache via nf_ct_expect_alloc(). When CTA_EXPECT_NAT is not present in the netlink message, saved_addr and saved_proto are never initialized. Stale data from a previous slab occupant can then be dumped to userspace by ctnetlink_exp_dump_expect(), which checks these fields to decide whether to emit CTA_EXPECT_NAT. The safe sibling nf_ct_expect_init(), used by the packet path, explicitly zeroes these fields. Zero saved_addr, saved_proto and dir in the else branch, guarded by IS_ENABLED(CONFIG_NF_NAT) since these fields only exist when NAT is enabled. Confirmed by priming the expect slab with NAT-bearing expectations, freeing them, creating a new expectation without CTA_EXPECT_NAT, and observing that the ctnetlink dump emits a spurious CTA_EXPECT_NAT containing stale data from the prior allocation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS