Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_ct: drop pending enqueued packets on removal

Packets sitting in nfqueue might hold a reference to:

- templates that specify the conntrack zone, because a percpu area is
used and module removal is possible.
- conntrack timeout policies and helper, where object removal leave
a stale reference.

Since these objects can just go away, drop enqueued packets to avoid
stale reference to them.

If there is a need for finer grain removal, this logic can be revisited
to make selective packet drop upon dependencies.
Published: 2026-05-05
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel’s netfilter nft_ct component. When the nft_ct module is unloaded while packets are still queued, the kernel can be left holding stale references to conntrack templates, timeout policies, or helper objects. The improper cleanup can cause a use‑after‑free or dereference of a dangling pointer, potentially leading to a kernel crash and denial of service. Based on the description, it is inferred that an attacker with the ability to unload the module could trigger this condition.

Affected Systems

Based on the description, all Linux kernel versions that compile the nft_ct module without the patch are potentially affected. Systems that load nft_ct (the connection‑tracking component of nftables) and may unload it—for example, during module reloads or by a privileged user—are at risk. The exact kernel versions are not specified in the advisory.

Risk and Exploitability

The CVSS score is 7.8, indicating a high‑impact vulnerability. The EPSS score is <1%, suggesting a low probability of public exploitation. Based on the description, it is inferred that a local privileged attacker who can unload the nft_ct module could trigger the condition, which leads to a use‑after‑free and potentially a kernel crash and denial of service. The vulnerability is not listed in the CISA KEV catalog, but its nature of dangling pointer misuse makes it a serious concern.

Generated by OpenCVE AI on May 26, 2026 at 15:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that incorporates the patch for nft_ct
  • If an upgrade is not possible, disable or unload the nft_ct kernel module when it is not required
  • Restrict module unloading permissions so that only authorized users can unload kernel modules
  • Monitor system logs for kernel crash events or nfqueue related errors, and respond promptly if they occur

Generated by OpenCVE AI on May 26, 2026 at 15:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 06 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Tue, 05 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: drop pending enqueued packets on removal Packets sitting in nfqueue might hold a reference to: - templates that specify the conntrack zone, because a percpu area is used and module removal is possible. - conntrack timeout policies and helper, where object removal leave a stale reference. Since these objects can just go away, drop enqueued packets to avoid stale reference to them. If there is a need for finer grain removal, this logic can be revisited to make selective packet drop upon dependencies.
Title netfilter: nft_ct: drop pending enqueued packets on removal
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:16:56.333Z

Reserved: 2026-05-01T14:12:55.981Z

Link: CVE-2026-43060

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T16:16:15.050

Modified: 2026-05-22T12:00:47.833

Link: CVE-2026-43060

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-05T00:00:00Z

Links: CVE-2026-43060 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T15:30:08Z

Weaknesses