Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_expect: use expect->helper

Use expect->helper in ctnetlink and /proc to dump the helper name.
Using nfct_help() without holding a reference to the master conntrack
is unsafe.

Use exp->master->helper in ctnetlink path if userspace does not provide
an explicit helper when creating an expectation to retain the existing
behaviour. The ctnetlink expectation path holds the reference on the
master conntrack and nf_conntrack_expect lock and the nfnetlink glue
path refers to the master ct that is attached to the skb.
Published: 2026-04-13
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via kernel crash
Action: Immediate Patch
AI Analysis

Impact

The flaw in the Linux kernel allows an unsigned use of the expect->helper pointer within the nf_conntrack_expect module, leading to unsafe dereferencing when nfct_help() is called without maintaining a reference to the master conntrack. This can result in a kernel dereference of invalid memory, potentially causing a crash or other instability that manifests as a denial of service. The vulnerability lies in the way ctnetlink and /proc interfaces expose helper names without proper locking or reference handling.

Affected Systems

All Linux kernel releases that include the nf_conntrack_expect component are affected, as the issue stems from generic kernel networking code. No specific patch level or vendor version is provided, so any system running the current, unpatched kernel is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 7.0 the severity is high, yet EPSS data is unavailable and the vulnerability is not listed in CISA's KEV catalog, suggesting no public exploits are known. The likely attack vector requires local or privileged access to the ctnetlink or /proc interfaces, so permission to manipulate network expectations is needed. Exploitation would likely produce a kernel panic or crashing service, enabling denial of service to all users on the host.

Generated by OpenCVE AI on April 14, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that includes the fix for the nf_conntrack_expect helper handling bug.
  • If a kernel update is not possible, limit access to the ctnetlink and /proc interfaces that expose the nf_conntrack expectation helper information to trusted users or processes.
  • Continuously monitor system logs for kernel panic entries or abnormal crashes that could indicate exploitation attempts.

Generated by OpenCVE AI on April 14, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-476

Tue, 14 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Mon, 13 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: use expect->helper Use expect->helper in ctnetlink and /proc to dump the helper name. Using nfct_help() without holding a reference to the master conntrack is unsafe. Use exp->master->helper in ctnetlink path if userspace does not provide an explicit helper when creating an expectation to retain the existing behaviour. The ctnetlink expectation path holds the reference on the master conntrack and nf_conntrack_expect lock and the nfnetlink glue path refers to the master ct that is attached to the skb.
Title netfilter: nf_conntrack_expect: use expect->helper
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T13:21:02.592Z

Reserved: 2026-03-09T15:48:24.087Z

Link: CVE-2026-31414

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T14:16:10.537

Modified: 2026-04-13T15:01:43.663

Link: CVE-2026-31414

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T00:00:00Z

Links: CVE-2026-31414 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:34:34Z

Weaknesses