CVE-2026-43027

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfconntrackhelper: pass helper to expect cleanup

nfconntrackhelperunregister() calls nfctexpectiteratedestroy() to remove expectations belonging to the helper being unregistered. However, it passes NULL instead of the helper pointer as the data argument, so expectiter_me() never matches any expectation and all of them survive the cleanup.

After unregister returns, nfnlcthelperdel() frees the helper object immediately. Subsequent expectation dumps or packet-driven init_conntrack() calls then dereference the freed exp->helper, causing a use-after-free.

Pass the actual helper pointer so expectations referencing it are properly destroyed before the helper object is freed.

BUG: KASAN: slab-use-after-free in string+0x38f/0x430 Read of size 1 at addr ffff888003b14d20 by task poc/103 Call Trace: string+0x38f/0x430 vsnprintf+0x3cc/0x1170 seqprintf+0x17a/0x240 expseqshow+0x2e5/0x560 seqreaditer+0x419/0x1280 procregread+0x1ac/0x270 vfsread+0x179/0x930 ksys_read+0xef/0x1c0 Freed by task 103: The buggy address is located 32 bytes inside of freed 192-byte region [ffff888003b14d00, ffff888003b14dc0)