Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_expect: use expect->helper

Use expect->helper in ctnetlink and /proc to dump the helper name.
Using nfct_help() without holding a reference to the master conntrack
is unsafe.

Use exp->master->helper in ctnetlink path if userspace does not provide
an explicit helper when creating an expectation to retain the existing
behaviour. The ctnetlink expectation path holds the reference on the
master conntrack and nf_conntrack_expect lock and the nfnetlink glue
path refers to the master ct that is attached to the skb.
Published: 2026-04-13
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via kernel crash
Action: Immediate Patch
AI Analysis

Impact

The flaw in the Linux kernel allows use of the expect->helper pointer within the nf_conntrack_expect module, leading to unsafe dereferencing when nfct_help() is called without maintaining a reference to the master conntrack. This can result in a kernel dereference of invalid memory, potentially causing a crash or other instability that manifests as a denial of service. The vulnerability lies in the way ctnetlink and /proc interfaces expose helper names without proper locking or reference handling.

Affected Systems

All Linux kernel releases that include the nf_conntrack_expect component are affected, as the issue stems from generic kernel networking code. No specific patch level or vendor version is provided, so any system running the current, unpatched kernel is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 9.8 the severity is critical, yet EPSS score of < 1% indicates low probability of exploitation and the vulnerability is not listed in CISA's KEV catalog, suggesting no public exploits are known. The likely attack vector, inferred from the description, requires local or privileged access to the ctnetlink or /proc interfaces, so permission to manipulate network expectations is needed. Exploitation would likely produce a kernel panic or crashing service, enabling denial of service to all users on the host.

Generated by OpenCVE AI on April 29, 2026 at 02:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel update that addresses the vulnerability in nf_conntrack_expect.
  • Restrict access to the ctnetlink and /proc interfaces that expose helper names to trusted users or processes, limiting potential exploitation of these weaknesses.
  • Continuously monitor system logs for kernel panic entries or abnormal crashes that could indicate exploitation attempts of the identified weaknesses.

Generated by OpenCVE AI on April 29, 2026 at 02:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 29 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-476

Tue, 28 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-476

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-476

Tue, 14 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Mon, 13 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: use expect->helper Use expect->helper in ctnetlink and /proc to dump the helper name. Using nfct_help() without holding a reference to the master conntrack is unsafe. Use exp->master->helper in ctnetlink path if userspace does not provide an explicit helper when creating an expectation to retain the existing behaviour. The ctnetlink expectation path holds the reference on the master conntrack and nf_conntrack_expect lock and the nfnetlink glue path refers to the master ct that is attached to the skb.
Title netfilter: nf_conntrack_expect: use expect->helper
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-27T14:02:59.127Z

Reserved: 2026-03-09T15:48:24.087Z

Link: CVE-2026-31414

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T14:16:10.537

Modified: 2026-04-27T14:16:37.333

Link: CVE-2026-31414

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T00:00:00Z

Links: CVE-2026-31414 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:45:35Z

Weaknesses