CVE-2026-43025 - Vulnerability Details

- netfilter: ctnetlink: ignore explicit helper on new expectations

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: ignore explicit helper on new expectations

Use the existing master conntrack helper, anything else is not really
supported and it just makes validation more complicated, so just ignore
what helper userspace suggests for this expectation.

This was uncovered when validating CTA_EXPECT_CLASS via different helper
provided by userspace than the existing master conntrack helper:

BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0
Read of size 4 at addr ffff8880043fe408 by task poc/102
Call Trace:
nf_ct_expect_related_report+0x2479/0x27c0
ctnetlink_create_expect+0x22b/0x3b0
ctnetlink_new_expect+0x4bd/0x5c0
nfnetlink_rcv_msg+0x67a/0x950
netlink_rcv_skb+0x120/0x350

Allowing to read kernel memory bytes off the expectation boundary.

CTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace
via netlink dump.

Published: 2026-05-01

Score: 7.0 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s netfilter ctnetlink subsystem ignores user‑specified helpers when creating new expectations, causing an out‑of‑bounds read. This overflow can expose kernel memory contents to a process that interacts with netlink, potentially revealing sensitive data and aiding further compromise. The weakness is an improper input validation leading to a buffer over‑read, specifically CWE‑119, CWE‑20, and CWE‑125.

Affected Systems

All Linux kernel releases that include the netfilter conntrack expectation code are affected. The vulnerability applies to any system that enables netfilter and uses netlink to create expectations, regardless of specific version identifiers.

Risk and Exploitability

The CVSS score is 7.0 and EPSS is unavailable, so the precise severity is not fully quantified, but the impact is significant. Memory disclosure from kernel space can aid privilege escalation or reconnaissance. The likely attack vector is local: an attacker needs the ability to send crafted netlink messages, which typically requires privileged or compromised processes. The vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`bd0779370588386e4a67ba5d0b176cfded8e6a53`	affected	< e135f8e8212cbed12a03ab8dec77fa1247139897
`bd0779370588386e4a67ba5d0b176cfded8e6a53`	affected	< 2ea0f35f235f70c133ad61fe05ba013753b978c6
`bd0779370588386e4a67ba5d0b176cfded8e6a53`	affected	< 0f6c33697ccfac6499d0b7a4dbdec5d3a3a566cd
`bd0779370588386e4a67ba5d0b176cfded8e6a53`	affected	< 187b6ec5229ea93cb04c4f6d3b52efc80f513d0d
`bd0779370588386e4a67ba5d0b176cfded8e6a53`	affected	< 21a04c31db4057deec85fcd6cc63d720b38819c3
`bd0779370588386e4a67ba5d0b176cfded8e6a53`	affected	< 917b61fa2042f11e2af4c428e43f08199586633a

Linux

affected

Version	Status	Constraints
`3.12`	affected	—
`0`	unaffected	< 3.12
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[bd0779370588386e4a67ba5d0b176cfded8e6a53,e135f8e8212cbed12a03ab8dec77fa1247139897)`	affected	code_commit	—
`[bd0779370588386e4a67ba5d0b176cfded8e6a53,2ea0f35f235f70c133ad61fe05ba013753b978c6)`	affected	code_commit	—
`[bd0779370588386e4a67ba5d0b176cfded8e6a53,0f6c33697ccfac6499d0b7a4dbdec5d3a3a566cd)`	affected	code_commit	—
`[bd0779370588386e4a67ba5d0b176cfded8e6a53,187b6ec5229ea93cb04c4f6d3b52efc80f513d0d)`	affected	code_commit	—
`[bd0779370588386e4a67ba5d0b176cfded8e6a53,21a04c31db4057deec85fcd6cc63d720b38819c3)`	affected	code_commit	—
`[bd0779370588386e4a67ba5d0b176cfded8e6a53,917b61fa2042f11e2af4c428e43f08199586633a)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.12`	affected	generic	—
`[0,3.12)`	unaffected	generic	—
`[6.1.168,6.1.*]`	unaffected	generic	—
`[6.6.134,6.6.*]`	unaffected	generic	—
`[6.12.81,6.12.*]`	unaffected	generic	—
`[6.18.22,6.18.*]`	unaffected	generic	—
`[6.19.12,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a Linux kernel release that includes the netfilter ctnetlink fix
Disable or restrict netlink usage for expectation creation on untrusted or unprivileged processes
Audit kernel logs for KASAN reports and consider disabling debugfs to reduce attack surface
Use SELinux or AppArmor to constrain processes that can send netlink messages

Generated by OpenCVE AI on May 2, 2026 at 07:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0f6c33697ccfac6499d0b7a4dbdec5d3a3a566cd
https://git.kernel.org/stable/c/187b6ec5229ea93cb04c4f6d3b52efc80f513d0d
https://git.kernel.org/stable/c/21a04c31db4057deec85fcd6cc63d720b38819c3
https://git.kernel.org/stable/c/2ea0f35f235f70c133ad61fe05ba013753b978c6
https://git.kernel.org/stable/c/917b61fa2042f11e2af4c428e43f08199586633a
https://git.kernel.org/stable/c/e135f8e8212cbed12a03ab8dec77fa1247139897
https://lore.kernel.org/linux-cve-announce/2026050159-CVE-2026-43025-5b63@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43025
https://www.cve.org/CVERecord?id=CVE-2026-43025

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125
References		https://lore.kernel.org/linux-cve-announce/2026050159-CVE-2026-43025-5b63@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43025 https://www.cve.org/CVERecord?id=CVE-2026-43025
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 01 May 2026 23:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-20

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: ignore explicit helper on new expectations Use the existing master conntrack helper, anything else is not really supported and it just makes validation more complicated, so just ignore what helper userspace suggests for this expectation. This was uncovered when validating CTA_EXPECT_CLASS via different helper provided by userspace than the existing master conntrack helper: BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0 Read of size 4 at addr ffff8880043fe408 by task poc/102 Call Trace: nf_ct_expect_related_report+0x2479/0x27c0 ctnetlink_create_expect+0x22b/0x3b0 ctnetlink_new_expect+0x4bd/0x5c0 nfnetlink_rcv_msg+0x67a/0x950 netlink_rcv_skb+0x120/0x350 Allowing to read kernel memory bytes off the expectation boundary. CTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace via netlink dump.
Title		netfilter: ctnetlink: ignore explicit helper on new expectations
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0f6c33697ccfac6499d0b7a4dbdec5d3a3a566cd https://git.kernel.org/stable/c/187b6ec5229ea93cb04c4f6d3b52efc80f513d0d https://git.kernel.org/stable/c/21a04c31db4057deec85fcd6cc63d720b38819c3 https://git.kernel.org/stable/c/2ea0f35f235f70c133ad61fe05ba013753b978c6 https://git.kernel.org/stable/c/917b61fa2042f11e2af4c428e43f08199586633a https://git.kernel.org/stable/c/e135f8e8212cbed12a03ab8dec77fa1247139897

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:15:27.103Z

Updated: 2026-05-01T14:15:27.103Z

Reserved: 2026-05-01T14:12:55.976Z

Link: CVE-2026-43025

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:46.903

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-43025

Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43025 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T07:15:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object