CVE-2026-43084 - Vulnerability Details

- netfilter: nfnetlink_queue: make hash table per queue

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_queue: make hash table per queue

Sharing a global hash table among all queues is tempting, but
it can cause crash:

BUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]
[..]
nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]
nfnetlink_rcv_msg+0x46a/0x930
kmem_cache_alloc_node_noprof+0x11e/0x450

struct nf_queue_entry is freed via kfree, but parallel cpu can still
encounter such an nf_queue_entry when walking the list.

Alternative fix is to free the nf_queue_entry via kfree_rcu() instead,
but as we have to alloc/free for each skb this will cause more mem
pressure.

Published: 2026-05-06

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s nfnetlink_queue subsystem has a use‑after‑free flaw: a nf_queue_entry is freed with kfree while another CPU thread still traverses the list, resulting in a kernel panic as evidenced by the KASAN trace in nfqnl_recv_verdict. This memory corruption can abruptly terminate kernel execution.

Affected Systems

All Linux kernel installations that ship the nfnetlink_queue module and have not applied the per‑queue hash table patch are affected. The advisory does not enumerate specific kernel versions, so every kernel prior to the fix is considered vulnerable.

Risk and Exploitability

The vulnerability is a high‑impact memory‑corruption bug that can cause a kernel crash. The CVSS score of 7.0 indicates moderate to high severity, and the EPSS score of < 1% shows low likelihood of exploitation; it is not listed in CISA KEV. The likely attack vector requires the ability to send crafted netlink messages to the nfnetlink_queue interface, so systems exposed to untrusted network traffic on this interface are at risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`371de2bef6582a3f58049b3d18e190924af9c9a0`	affected	< 22730cb96093b5be0609063bbb1923dbecd61252
`870e3e63da8e88daffe9d692a025c711658018a8`	affected	< 41e3652a178cb0eecd48e0e6e27fbb73a004046a
`70e2e3ce4f6841e12ec1c104fc76c0e707398ec4`	affected	< 9e5ebef91120d2764aefe557c3a484b6288f341f
`e19079adcd26a25d7d3e586b1837493361fdf8b6`	affected	< 936206e3f6ff411581e615e930263d6f8b78df9d

Linux

unaffected

Version	Status	Constraints
`6.12.75`	affected	< 6.12.83
`6.18.14`	affected	< 6.18.24
`6.19.4`	affected	< 6.19.14

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[371de2bef6582a3f58049b3d18e190924af9c9a0,22730cb96093b5be0609063bbb1923dbecd61252)`	affected	code_commit	—
`[870e3e63da8e88daffe9d692a025c711658018a8,41e3652a178cb0eecd48e0e6e27fbb73a004046a)`	affected	code_commit	—
`[70e2e3ce4f6841e12ec1c104fc76c0e707398ec4,9e5ebef91120d2764aefe557c3a484b6288f341f)`	affected	code_commit	—
`[e19079adcd26a25d7d3e586b1837493361fdf8b6,936206e3f6ff411581e615e930263d6f8b78df9d)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.12.75,6.12.83)`	affected	semver	—
`[6.18.14,6.18.24)`	affected	semver	—
`[6.19.4,6.19.14)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that implements the per‑queue hash table fix to eliminate the use‑after‑free condition
If a kernel update is not yet available, temporarily unload the nfnetlink_queue module with "rmmod nfnetlink_queue" to prevent the vulnerable code from executing
Monitor kernel logs for KASAN or Oops messages and reboot immediately if a crash occurs

Generated by OpenCVE AI on May 7, 2026 at 04:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/22730cb96093b5be0609063bbb1923dbecd61252
https://git.kernel.org/stable/c/41e3652a178cb0eecd48e0e6e27fbb73a004046a
https://git.kernel.org/stable/c/936206e3f6ff411581e615e930263d6f8b78df9d
https://git.kernel.org/stable/c/9e5ebef91120d2764aefe557c3a484b6288f341f
https://lore.kernel.org/linux-cve-announce/2026050615-CVE-2026-43084-963f@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43084
https://www.cve.org/CVERecord?id=CVE-2026-43084

History

Thu, 07 May 2026 02:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-362 CWE-416

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-364
References		https://lore.kernel.org/linux-cve-announce/2026050615-CVE-2026-43084-963f@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43084 https://www.cve.org/CVERecord?id=CVE-2026-43084
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 06 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-416

Wed, 06 May 2026 09:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: make hash table per queue Sharing a global hash table among all queues is tempting, but it can cause crash: BUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] [..] nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] nfnetlink_rcv_msg+0x46a/0x930 kmem_cache_alloc_node_noprof+0x11e/0x450 struct nf_queue_entry is freed via kfree, but parallel cpu can still encounter such an nf_queue_entry when walking the list. Alternative fix is to free the nf_queue_entry via kfree_rcu() instead, but as we have to alloc/free for each skb this will cause more mem pressure.
Title		netfilter: nfnetlink_queue: make hash table per queue
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/22730cb96093b5be0609063bbb1923dbecd61252 https://git.kernel.org/stable/c/41e3652a178cb0eecd48e0e6e27fbb73a004046a https://git.kernel.org/stable/c/936206e3f6ff411581e615e930263d6f8b78df9d https://git.kernel.org/stable/c/9e5ebef91120d2764aefe557c3a484b6288f341f

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T07:40:19.253Z

Updated: 2026-05-06T07:40:19.253Z

Reserved: 2026-05-01T14:12:55.983Z

Link: CVE-2026-43084

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T10:16:21.610

Modified: 2026-05-06T13:08:07.970

Link: CVE-2026-43084

Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43084 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-07T05:00:12Z

Weaknesses

CWE-364

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object