CVE-2026-43088 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

net: af_key: zero aligned sockaddr tail in PF_KEY exports

PF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr
payload space, so IPv6 addresses occupy 32 bytes on the wire. However,
`pfkey_sockaddr_fill()` initializes only the first 28 bytes of
`struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized.

Not every PF_KEY message is affected. The state and policy dump builders
already zero the whole message buffer before filling the sockaddr
payloads. Keep the fix to the export paths that still append aligned
sockaddr payloads with plain `skb_put()`:

- `SADB_ACQUIRE`
- `SADB_X_NAT_T_NEW_MAPPING`
- `SADB_X_MIGRATE`

Fix those paths by clearing only the aligned sockaddr tail after
`pfkey_sockaddr_fill()`.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability originates from the PF_KEY export paths in the Linux kernel where a 4‑byte region of the IPv6 sockaddr structure is left uninitialized. Because pfkey_sockaddr_fill() only zeroes the first 28 bytes of a 32‑byte payload, the remaining aligned bytes may contain memory from previous kernel activity. An attacker who can trigger a PF_KEY message such as SADB_ACQUIRE or the newer NAT T mapping extensions could observe these garbage bytes, potentially leaking sensitive kernel data. This flaw is an instance of Uninitialized Memory usage (CWE‑796).

Affected Systems

Affected systems are Linux kernel implementations that implement the af_key interface before the patch that clears the aligned tail. The issue is present in all release series before the commit referenced in the provided git patches, possibly including kernels older than 5.15. There are no version numbers specified, but the flaw was identified in the official kernel codebases.

Risk and Exploitability

The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting that it has not yet been widely exploited. The risk is moderate because exploitation requires an attacker to reach the PF_KEY socket and trigger one of the specific export paths. However, the leak could aid an attacker in gathering kernel memory contents, which can be useful for further privilege escalation. Immediate application of the upstream patch is the recommended way to eliminate the uninitialized memory region.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 2e74f974359b5382ecbe8536abbb5b837eb6c724
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 426c355742f02cf743b347d9d7dbdc1bfbfa31ef

Linux

affected

Version	Status	Constraints
`2.6.12`	affected	—
`0`	unaffected	< 2.6.12
`6.19.14`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,2e74f974359b5382ecbe8536abbb5b837eb6c724)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,426c355742f02cf743b347d9d7dbdc1bfbfa31ef)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.12`	affected	semver	—
`[0,2.6.12)`	unaffected	semver	—
`[6.19.14,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to the latest version that includes the commit fixing the zeroed aligned sockaddr tail in PF_KEY exports.
Restrict PF_KEY socket access to trusted processes by enforcing strict permissions or disabling unrelated PF_KEY extensions.
If the environment does not require specific PF_KEY extensions such as SADB_X_NAT_T_NEW_MAPPING or SADB_X_MIGRATE, disable or remove those extensions to minimize attack surface.

Generated by OpenCVE AI on May 6, 2026 at 11:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2e74f974359b5382ecbe8536abbb5b837eb6c724
https://git.kernel.org/stable/c/426c355742f02cf743b347d9d7dbdc1bfbfa31ef

History

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-796

Wed, 06 May 2026 09:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: af_key: zero aligned sockaddr tail in PF_KEY exports PF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr payload space, so IPv6 addresses occupy 32 bytes on the wire. However, `pfkey_sockaddr_fill()` initializes only the first 28 bytes of `struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized. Not every PF_KEY message is affected. The state and policy dump builders already zero the whole message buffer before filling the sockaddr payloads. Keep the fix to the export paths that still append aligned sockaddr payloads with plain `skb_put()`: - `SADB_ACQUIRE` - `SADB_X_NAT_T_NEW_MAPPING` - `SADB_X_MIGRATE` Fix those paths by clearing only the aligned sockaddr tail after `pfkey_sockaddr_fill()`.
Title		net: af_key: zero aligned sockaddr tail in PF_KEY exports
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2e74f974359b5382ecbe8536abbb5b837eb6c724 https://git.kernel.org/stable/c/426c355742f02cf743b347d9d7dbdc1bfbfa31ef

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T07:40:21.962Z

Updated: 2026-05-06T07:40:21.962Z

Reserved: 2026-05-01T14:12:55.983Z

Link: CVE-2026-43088

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-06T10:16:22.090

Modified: 2026-05-06T10:16:22.090

Link: CVE-2026-43088

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T12:15:03Z

Weaknesses

CWE-796

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object