Description
pam_authnft is a PAM session module binding nftables firewall rules to authenticated sessions via cgroupv2 inodes. Prior to 0.2.0-alpha, a heap buffer over-read in peer_lookup_tcp (src/peer_lookup.c:134, prior to the fix) allowed a crafted NETLINK_SOCK_DIAG reply to slip past the message-size check, then dereference past the end of the allocation. This vulnerability is fixed in 0.2.0-alpha.
Published: 2026-05-12
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

pam_authnft contains a heap buffer over‑read in the peer_lookup_tcp function. A crafted NETLINK_SOCK_DIAG reply can bypass the message‑size check, causing the code to dereference beyond the boundary of the allocated buffer. This memory corruption can be leveraged by an attacker to overwrite critical data structures or trigger a crash, and depending on the context, may enable arbitrary code execution.

Affected Systems

The vulnerability affects the identd-ng PAM session module pam_authnft on all versions released before 0.2.0‑alpha. This includes any system that has the module installed and configured to bind nftables firewall rules to authenticated sessions via cgroupv2 inodes.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. EPSS data is not available, so the exploitation likelihood is uncertain, and the vulnerability is not listed in the CISA KEV catalog. The attack requires sending a carefully crafted NETLINK_SOCK_DIAG reply, implying a local context where the attacker can influence netlink traffic or has sufficient privileges to cause the module to process the reply. Because the flaw can lead to memory corruption, the potential impact is significant, especially on systems where pam_authnft is active.

Generated by OpenCVE AI on May 12, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pam_authnft to version 0.2.0‑alpha or later, where the buffer over‑read is fixed.
  • Disable pam_authnft and its cgroupv2 integration if the feature is not required for the system’s security posture.
  • Restrict or monitor NETLINK_SOCK_DIAG traffic, ensuring that only trusted processes can send diagnostic messages to the module.

Generated by OpenCVE AI on May 12, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description pam_authnft is a PAM session module binding nftables firewall rules to authenticated sessions via cgroupv2 inodes. Prior to 0.2.0-alpha, a heap buffer over-read in peer_lookup_tcp (src/peer_lookup.c:134, prior to the fix) allowed a crafted NETLINK_SOCK_DIAG reply to slip past the message-size check, then dereference past the end of the allocation. This vulnerability is fixed in 0.2.0-alpha.
Title pam_authnft: Heap buffer overflow in NETLINK_SOCK_DIAG reply walker
Weaknesses CWE-125
CWE-191
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T13:31:44.359Z

Reserved: 2026-05-04T16:11:33.086Z

Link: CVE-2026-43916

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T14:17:08.080

Modified: 2026-05-12T14:17:08.080

Link: CVE-2026-43916

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T16:00:13Z

Weaknesses