CVE-2026-43035 - Vulnerability Details

- net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak

Description

In the Linux kernel, the following vulnerability has been resolved:

net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak

When building netlink messages, tc_chain_fill_node() never initializes
the tcm_info field of struct tcmsg. Since the allocation is not zeroed,
kernel heap memory is leaked to userspace through this 4-byte field.

The fix simply zeroes tcm_info alongside the other fields that are
already initialized.

Published: 2026-05-01

Score: 5.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from the tc_chain_fill_node function in the Linux kernel not initializing the tcm_info field of struct tcmsg. Because the buffer is allocated without zeroing, parts of kernel heap memory are exposed to userspace through netlink messages, allowing local processes to read unintended data. This leakage presents a confidentiality risk and is an instance of an uninitialized memory bug (CWE-788).

Affected Systems

The flaw exists in the Linux kernel wherever the tc_chain_fill_node routine is unmodified. The specific kernel releases affected are not enumerated in the advisory, so any kernel version lacking the zeroing patch is considered vulnerable. Administrators should verify whether their installed kernel contains the commit referenced in the provided links.

Risk and Exploitability

The CVSS score is not supplied, and the EPSS score is unavailable; the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local, where a process can send or receive traffic that triggers tc_chain_fill_node and read the leaked tcm_info field. While the exploitation requires local privileges or control over netlink traffic, the impact is unauthorized disclosure of kernel data. Given the lack of publicly demonstrated exploits, exploitation probability is considered low but non-zero.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`32a4f5ecd7381f30ae3bb36dea77a150ba68af2e`	affected	< 903c3405cfcc7700260e456ab66a5867586c9e69
`32a4f5ecd7381f30ae3bb36dea77a150ba68af2e`	affected	< 71a3eda7e850ae844cb8993065f4e410c11a46ce
`32a4f5ecd7381f30ae3bb36dea77a150ba68af2e`	affected	< 4ae5d23f51fb91d7d1140c6f1ba77ab0756054c3
`32a4f5ecd7381f30ae3bb36dea77a150ba68af2e`	affected	< e35f5195cd44ff4053fbc5d71ea97681728a0099
`32a4f5ecd7381f30ae3bb36dea77a150ba68af2e`	affected	< d6db08484c6cb3d4ad696246f9d288eceba2a078
`32a4f5ecd7381f30ae3bb36dea77a150ba68af2e`	affected	< 906997ea3766c24fbbf9cc4bf17c047315bbd138
`32a4f5ecd7381f30ae3bb36dea77a150ba68af2e`	affected	< 1091b3c174441a52fdbb92e2fe00338f9371a91c
`32a4f5ecd7381f30ae3bb36dea77a150ba68af2e`	affected	< e6e3eb5ee89ac4c163d46429391c889a1bb5e404

Linux

affected

Version	Status	Constraints
`4.19`	affected	—
`0`	unaffected	< 4.19
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[32a4f5ecd7381f30ae3bb36dea77a150ba68af2e,903c3405cfcc7700260e456ab66a5867586c9e69)`	affected	code_commit	—
`[32a4f5ecd7381f30ae3bb36dea77a150ba68af2e,71a3eda7e850ae844cb8993065f4e410c11a46ce)`	affected	code_commit	—
`[32a4f5ecd7381f30ae3bb36dea77a150ba68af2e,4ae5d23f51fb91d7d1140c6f1ba77ab0756054c3)`	affected	code_commit	—
`[32a4f5ecd7381f30ae3bb36dea77a150ba68af2e,e35f5195cd44ff4053fbc5d71ea97681728a0099)`	affected	code_commit	—
`[32a4f5ecd7381f30ae3bb36dea77a150ba68af2e,d6db08484c6cb3d4ad696246f9d288eceba2a078)`	affected	code_commit	—
`[32a4f5ecd7381f30ae3bb36dea77a150ba68af2e,906997ea3766c24fbbf9cc4bf17c047315bbd138)`	affected	code_commit	—
`[32a4f5ecd7381f30ae3bb36dea77a150ba68af2e,1091b3c174441a52fdbb92e2fe00338f9371a91c)`	affected	code_commit	—
`[32a4f5ecd7381f30ae3bb36dea77a150ba68af2e,e6e3eb5ee89ac4c163d46429391c889a1bb5e404)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.19`	affected	generic	—
`[0,4.19)`	unaffected	generic	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.168,6.2.0)`	unaffected	semver	—
`[6.6.134,6.7.0)`	unaffected	semver	—
`[6.12.81,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the commit which zeroes tcm_info in tc_chain_fill_node.
If an immediate kernel upgrade is not feasible, limit access to the affected netlink tc_* interfaces using firewall rules or netlink ACLs to reduce the window for local exploitation.
Enable system integrity monitoring (e.g., auditd, kernel module signature checks) to detect unauthorized kernel memory access and ensure that kernel updates are applied in a timely manner.

Generated by OpenCVE AI on May 1, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1091b3c174441a52fdbb92e2fe00338f9371a91c
https://git.kernel.org/stable/c/4ae5d23f51fb91d7d1140c6f1ba77ab0756054c3
https://git.kernel.org/stable/c/71a3eda7e850ae844cb8993065f4e410c11a46ce
https://git.kernel.org/stable/c/903c3405cfcc7700260e456ab66a5867586c9e69
https://git.kernel.org/stable/c/906997ea3766c24fbbf9cc4bf17c047315bbd138
https://git.kernel.org/stable/c/d6db08484c6cb3d4ad696246f9d288eceba2a078
https://git.kernel.org/stable/c/e35f5195cd44ff4053fbc5d71ea97681728a0099
https://git.kernel.org/stable/c/e6e3eb5ee89ac4c163d46429391c889a1bb5e404
https://lore.kernel.org/linux-cve-announce/2026050102-CVE-2026-43035-2731@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43035
https://www.cve.org/CVERecord?id=CVE-2026-43035

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-908
References		https://lore.kernel.org/linux-cve-announce/2026050102-CVE-2026-43035-2731@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43035 https://www.cve.org/CVERecord?id=CVE-2026-43035
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 01 May 2026 23:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-788

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak When building netlink messages, tc_chain_fill_node() never initializes the tcm_info field of struct tcmsg. Since the allocation is not zeroed, kernel heap memory is leaked to userspace through this 4-byte field. The fix simply zeroes tcm_info alongside the other fields that are already initialized.
Title		net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1091b3c174441a52fdbb92e2fe00338f9371a91c https://git.kernel.org/stable/c/4ae5d23f51fb91d7d1140c6f1ba77ab0756054c3 https://git.kernel.org/stable/c/71a3eda7e850ae844cb8993065f4e410c11a46ce https://git.kernel.org/stable/c/903c3405cfcc7700260e456ab66a5867586c9e69 https://git.kernel.org/stable/c/906997ea3766c24fbbf9cc4bf17c047315bbd138 https://git.kernel.org/stable/c/d6db08484c6cb3d4ad696246f9d288eceba2a078 https://git.kernel.org/stable/c/e35f5195cd44ff4053fbc5d71ea97681728a0099 https://git.kernel.org/stable/c/e6e3eb5ee89ac4c163d46429391c889a1bb5e404

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:15:33.922Z

Updated: 2026-05-01T14:15:33.922Z

Reserved: 2026-05-01T14:12:55.977Z

Link: CVE-2026-43035

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:48.147

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-43035

Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43035 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-01T23:15:29Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object