Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()

pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the
to_offset argument on every iteration, including the last one where
i == m->field_count - 1. This reads one element past the end of the
stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS]
with NFT_PIPAPO_MAX_FIELDS == 16).

Although pipapo_unmap() returns early when is_last is true without
using the to_offset value, the argument is evaluated at the call site
before the function body executes, making this a genuine out-of-bounds
stack read confirmed by KASAN:

BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables]
Read of size 4 at addr ffff8000810e71a4

This frame has 1 object:
[32, 160) 'rulemap'

The buggy address is at offset 164 -- exactly 4 bytes past the end
of the rulemap array.

Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid
the out-of-bounds read.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack out-of-bounds read occurs in the nftables pipapo_drop() function when the last rule map element is processed. The function reads a field past the end of the stack-allocated array, leading to a KASAN-detected memory access violation. The read can expose kernel memory contents to the calling context, potentially leaking sensitive data. This weakness is an example of improper restrictions on buffer bounds and leads to information exposure.

Affected Systems

All Linux kernel instances running the affected nft_set_pipapo implementation are susceptible. The vulnerability applies to every build of the kernel that has not yet incorporated the patch referenced in the description. It is vendor-agnostic within the Linux ecosystem.

Risk and Exploitability

The CVSS score is 5.5, indicating moderate severity. EPSS is < 1%, so the likelihood of exploitation is considered very low but not zero. The vulnerability is not listed in CISA's KEV catalog. Based on the description, the likely attack vector is local manipulation of nftables rules, which requires elevated privileges to create or drop rules. While the vulnerability does not allow arbitrary code execution, it does enable a stack out-of-bounds read that can expose kernel memory contents, potentially leaking sensitive data. The risk is moderate, driven by the possibility of information leakage and the lack of broader exploitation guidance.

Generated by OpenCVE AI on May 9, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the fix for nft_set_pipapo, ensuring the patch is applied across all relevant hosts.
  • Restrict nftables rule modifications to trusted administrative accounts and enforce strict privilege checks to prevent unauthorized rule manipulation.
  • Configure kernel log management to capture KASAN and other kernel fault messages, and regularly review logs for anomalous memory access errors.

Generated by OpenCVE AI on May 9, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-200

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-200

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the to_offset argument on every iteration, including the last one where i == m->field_count - 1. This reads one element past the end of the stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS] with NFT_PIPAPO_MAX_FIELDS == 16). Although pipapo_unmap() returns early when is_last is true without using the to_offset value, the argument is evaluated at the call site before the function body executes, making this a genuine out-of-bounds stack read confirmed by KASAN: BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables] Read of size 4 at addr ffff8000810e71a4 This frame has 1 object: [32, 160) 'rulemap' The buggy address is at offset 164 -- exactly 4 bytes past the end of the rulemap array. Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid the out-of-bounds read.
Title netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:22:18.087Z

Reserved: 2026-05-01T14:12:56.010Z

Link: CVE-2026-43453

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:58.027

Modified: 2026-05-08T15:16:58.027

Link: CVE-2026-43453

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43453 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T15:30:36Z

Weaknesses