Description
In the Linux kernel, the following vulnerability has been resolved:

net: af_key: zero aligned sockaddr tail in PF_KEY exports

PF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr
payload space, so IPv6 addresses occupy 32 bytes on the wire. However,
`pfkey_sockaddr_fill()` initializes only the first 28 bytes of
`struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized.

Not every PF_KEY message is affected. The state and policy dump builders
already zero the whole message buffer before filling the sockaddr
payloads. Keep the fix to the export paths that still append aligned
sockaddr payloads with plain `skb_put()`:

- `SADB_ACQUIRE`
- `SADB_X_NAT_T_NEW_MAPPING`
- `SADB_X_MIGRATE`

Fix those paths by clearing only the aligned sockaddr tail after
`pfkey_sockaddr_fill()`.
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw originates in the Linux kernel’s PF_KEY export routine where IPv6 socket address entries are only partially initialized. The final four bytes of the 32‑byte IPv6 address payload remain uninitialized, potentially exposing kernel memory contents. Based on the description, it is inferred that an attacker who can trigger the affected export paths—such as SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, or SADB_X_MIGRATE—may read these garbage bytes, leading to information disclosure.

Affected Systems

Affected systems are Linux kernel implementations that use the af_key interface and have not yet incorporated the commit that clears the aligned tail of the sockaddr payload. The absence of explicit version details leads to the inference that all distributions running unpatched kernel versions prior to the referenced commit are vulnerable.

Risk and Exploitability

The CVSS score of 5.5 denotes moderate severity. The EPSS score is below 1%, indicating a very low but non‑zero likelihood of exploitation. The vulnerability is not listed in CISA KEV, suggesting that it has not been widely exploited. Based on the description, it is inferred that an attacker must have the ability to interact with the PF_KEY socket and invoke the affected export paths for the leak to occur; this requirement reduces the overall risk but the potential for revealing kernel data warrants prompt remediation.

Generated by OpenCVE AI on May 7, 2026 at 04:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to the latest version that includes the commit fixing the zeroed aligned sockaddr tail in PF_KEY exports.
  • Restrict PF_KEY socket access to trusted processes by enforcing strict permissions or disabling unrelated PF_KEY extensions.
  • If the environment does not require specific PF_KEY extensions such as SADB_X_NAT_T_NEW_MAPPING or SADB_X_MIGRATE, disable or remove those extensions to minimize attack surface.

Generated by OpenCVE AI on May 7, 2026 at 04:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6274-1 linux security update
History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Thu, 14 May 2026 15:15:00 +0000

Type Values Removed Values Added
References

Thu, 07 May 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-796

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-909
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-796

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: af_key: zero aligned sockaddr tail in PF_KEY exports PF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr payload space, so IPv6 addresses occupy 32 bytes on the wire. However, `pfkey_sockaddr_fill()` initializes only the first 28 bytes of `struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized. Not every PF_KEY message is affected. The state and policy dump builders already zero the whole message buffer before filling the sockaddr payloads. Keep the fix to the export paths that still append aligned sockaddr payloads with plain `skb_put()`: - `SADB_ACQUIRE` - `SADB_X_NAT_T_NEW_MAPPING` - `SADB_X_MIGRATE` Fix those paths by clearing only the aligned sockaddr tail after `pfkey_sockaddr_fill()`.
Title net: af_key: zero aligned sockaddr tail in PF_KEY exports
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-14T14:30:12.539Z

Reserved: 2026-05-01T14:12:55.983Z

Link: CVE-2026-43088

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T10:16:22.090

Modified: 2026-05-22T19:44:34.400

Link: CVE-2026-43088

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43088 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T05:00:12Z

Weaknesses