netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-43453
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-08 15:16:58 UTC
Updated2026-05-21 16:52:05 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the to_offset argument on every iteration, including the last one where i == m->field_count - 1. This reads one element past the end of the stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS] with NFT_PIPAPO_MAX_FIELDS == 16). Although pipapo_unmap() returns early when is_last is true without using the to_offset value, the argument is evaluated at the call site before the function body executes, making this a genuine out-of-bounds stack read confirmed by KASAN: BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables] Read of size 4 at addr ffff8000810e71a4 This frame has 1 object: [32, 160) 'rulemap' The buggy address is at offset 164 -- exactly 4 bytes past the end of the rulemap array. Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid the out-of-bounds read.

Risk And Classification

Primary CVSS: v3.1 7.1 HIGH from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS: 0.000240000 probability, percentile 0.070360000 (date 2026-05-12)

Problem Types: CWE-125

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 3c4287f62044a90e73a561aa05fc46e62da173da 1957e793196e7f8557374fd4eda53abcbb42e1c0 git Not specified
CNA Linux Linux affected 3c4287f62044a90e73a561aa05fc46e62da173da 57fb87ca095d5127cd7a27583b8ec43dcf7c9e9e git Not specified
CNA Linux Linux affected 3c4287f62044a90e73a561aa05fc46e62da173da 60c1d18781e37bfb96290b86510eb01c5fa24d75 git Not specified
CNA Linux Linux affected 3c4287f62044a90e73a561aa05fc46e62da173da 0a55d62cdb628923d8a21724374a70c76ac7d19d git Not specified
CNA Linux Linux affected 3c4287f62044a90e73a561aa05fc46e62da173da dfbdac719198778b581bc0dd055df2542edb8c62 git Not specified
CNA Linux Linux affected 3c4287f62044a90e73a561aa05fc46e62da173da e047f6fbb975f685d6c9fcef95b3b7787a79b46d git Not specified
CNA Linux Linux affected 3c4287f62044a90e73a561aa05fc46e62da173da 324b749aa5b2d516ccfab933df9d3f56e7807f5f git Not specified
CNA Linux Linux affected 3c4287f62044a90e73a561aa05fc46e62da173da d6d8cd2db236a9dd13dbc2d05843b3445cc964b5 git Not specified
CNA Linux Linux affected 5.6 Not specified
CNA Linux Linux unaffected 5.6 semver Not specified
CNA Linux Linux unaffected 5.10.253 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.203 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.167 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.130 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.78 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.19 6.18.* semver Not specified
CNA Linux Linux unaffected 6.19.9 6.19.* semver Not specified
CNA Linux Linux unaffected 7.0 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/dfbdac719198778b581bc0dd055df2542edb8c62 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/324b749aa5b2d516ccfab933df9d3f56e7807f5f 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/1957e793196e7f8557374fd4eda53abcbb42e1c0 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/57fb87ca095d5127cd7a27583b8ec43dcf7c9e9e 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/60c1d18781e37bfb96290b86510eb01c5fa24d75 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/e047f6fbb975f685d6c9fcef95b3b7787a79b46d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/0a55d62cdb628923d8a21724374a70c76ac7d19d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/d6d8cd2db236a9dd13dbc2d05843b3445cc964b5 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report