CVE-2026-43026

Source
https://cve.org/CVERecord?id=CVE-2026-43026
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43026.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-43026
Downstream
Related
Published
2026-05-01T14:15:27.854Z
Modified
2026-07-04T18:29:13.627533158Z
Summary
netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: zero expect NAT fields when CTAEXPECTNAT absent

ctnetlinkallocexpect() allocates expectations from a non-zeroing slab cache via nfctexpectalloc(). When CTAEXPECTNAT is not present in the netlink message, savedaddr and savedproto are never initialized. Stale data from a previous slab occupant can then be dumped to userspace by ctnetlinkexpdumpexpect(), which checks these fields to decide whether to emit CTAEXPECTNAT.

The safe sibling nfctexpect_init(), used by the packet path, explicitly zeroes these fields.

Zero savedaddr, savedproto and dir in the else branch, guarded by ISENABLED(CONFIGNF_NAT) since these fields only exist when NAT is enabled.

Confirmed by priming the expect slab with NAT-bearing expectations, freeing them, creating a new expectation without CTAEXPECTNAT, and observing that the ctnetlink dump emits a spurious CTAEXPECTNAT containing stale data from the prior allocation.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43026.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
076a0ca02644657b13e4af363f487ced2942e9cb
Fixed
a5a89db6981a1ddf2314bf50cb49db5a3146185f
Fixed
1c2ebdeff8d088a2e47ae25d7b38447249adace2
Fixed
a64b7bf84b4d5ea54218c5d374ec87fff9000f43
Fixed
2898080c054ea4d6ddfaaf21bbedbc229a9a8376
Fixed
fd002ff2ea030cbfb0188a11b3c60ce7f84485f4
Fixed
929f7a9a7aad9404a5867216c3f8738232355b38
Fixed
bff0f4f06f12d6d9bc565a3e1378abd4f6f5ce36
Fixed
35177c6877134a21315f37d57a5577846225623e

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43026.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.4.0
Fixed
5.10.253
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.203
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.168
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.134
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.81
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.22
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.12

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43026.json"