CVE-2026-43453

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nftsetpipapo: fix stack out-of-bounds read in pipapo_drop()

pipapodrop() passes rulemap[i + 1].n to pipapounmap() as the tooffset argument on every iteration, including the last one where i == m->fieldcount - 1. This reads one element past the end of the stack-allocated rulemap array (declared as rulemap[NFTPIPAPOMAXFIELDS] with NFTPIPAPOMAXFIELDS == 16).

Although pipapounmap() returns early when islast is true without using the to_offset value, the argument is evaluated at the call site before the function body executes, making this a genuine out-of-bounds stack read confirmed by KASAN:

BUG: KASAN: stack-out-of-bounds in pipapodrop+0x50c/0x57c [nftables] Read of size 4 at addr ffff8000810e71a4

This frame has 1 object: [32, 160) 'rulemap'

The buggy address is at offset 164 -- exactly 4 bytes past the end of the rulemap array.

Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid the out-of-bounds read.