netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-43450
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-08 15:16:57 UTC
Updated2026-05-12 14:10:27 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label inside the for loop body. When the "last" helper saved in cb->args[1] is deleted between dump rounds, every entry fails the (cur != last) check, so cb->args[1] is never cleared. The for loop finishes with cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back into the loop body bypassing the bounds check, causing an 8-byte out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize]. The 'goto restart' block was meant to re-traverse the current bucket when "last" is no longer found, but it was placed after the for loop instead of inside it. Move the block into the for loop body so that the restart only occurs while cb->args[0] is still within bounds. BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0 Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131 Call Trace: nfnl_cthelper_dump_table+0x9f/0x1b0 netlink_dump+0x333/0x880 netlink_recvmsg+0x3e2/0x4b0 sock_recvmsg+0xde/0xf0 __sys_recvfrom+0x150/0x200 __x64_sys_recvfrom+0x76/0x90 do_syscall_64+0xc3/0x6e0 Allocated by task 1: __kvmalloc_node_noprof+0x21b/0x700 nf_ct_alloc_hashtable+0x65/0xd0 nf_conntrack_helper_init+0x21/0x60 nf_conntrack_init_start+0x18d/0x300 nf_conntrack_standalone_init+0x12/0xc0

Risk And Classification

EPSS: 0.000240000 probability, percentile 0.070360000 (date 2026-05-12)

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 12f7a505331e6b2754684b509f2ac8f0011ce644 0605e1985a95d4334a67869aee45a47e82301abf git Not specified
CNA Linux Linux affected 12f7a505331e6b2754684b509f2ac8f0011ce644 92441f6d9405a0c18d03f278b395e782f79a4a30 git Not specified
CNA Linux Linux affected 12f7a505331e6b2754684b509f2ac8f0011ce644 3cc328ffc32ddb389cba7b78b6aa95d995c2876e git Not specified
CNA Linux Linux affected 12f7a505331e6b2754684b509f2ac8f0011ce644 4a1f6ee69267a5f524102c028981410eeacfa3da git Not specified
CNA Linux Linux affected 12f7a505331e6b2754684b509f2ac8f0011ce644 894c5780ddadd5fde0e16f66587918e6be1504c4 git Not specified
CNA Linux Linux affected 12f7a505331e6b2754684b509f2ac8f0011ce644 05018cd9370f77bb18fbf6e15ff33c7a06f10b3c git Not specified
CNA Linux Linux affected 12f7a505331e6b2754684b509f2ac8f0011ce644 61b3a1f8621df1a5928118313f133996f6a786db git Not specified
CNA Linux Linux affected 12f7a505331e6b2754684b509f2ac8f0011ce644 6dcee8496d53165b2d8a5909b3050b62ae71fe89 git Not specified
CNA Linux Linux affected 3.6 Not specified
CNA Linux Linux unaffected 3.6 semver Not specified
CNA Linux Linux unaffected 5.10.253 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.203 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.167 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.130 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.78 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.19 6.18.* semver Not specified
CNA Linux Linux unaffected 6.19.9 6.19.* semver Not specified
CNA Linux Linux unaffected 7.0 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/92441f6d9405a0c18d03f278b395e782f79a4a30 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/6dcee8496d53165b2d8a5909b3050b62ae71fe89 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/61b3a1f8621df1a5928118313f133996f6a786db 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/4a1f6ee69267a5f524102c028981410eeacfa3da 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/3cc328ffc32ddb389cba7b78b6aa95d995c2876e 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/0605e1985a95d4334a67869aee45a47e82301abf 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/05018cd9370f77bb18fbf6e15ff33c7a06f10b3c 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/894c5780ddadd5fde0e16f66587918e6be1504c4 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report