{"api_version":"1","generated_at":"2026-05-10T15:11:47+00:00","cve":"CVE-2026-43114","urls":{"html":"https://cve.report/CVE-2026-43114","api":"https://cve.report/api/cve/CVE-2026-43114.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43114","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43114"},"summary":{"title":"netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry\n\nNew test case fails unexpectedly when avx2 matching functions are used.\n\nThe test first loads a ranomly generated pipapo set\nwith 'ipv4 . port' key, i.e.  nft -f foo.\n\nThis works.  Then, it reloads the set after a flush:\n(echo flush set t s; cat foo) | nft -f -\n\nThis is expected to work, because its the same set after all and it was\nalready loaded once.\n\nBut with avx2, this fails: nft reports a clashing element.\n\nThe reported clash is of following form:\n\n    We successfully re-inserted\n      a . b\n      c . d\n\nThen we try to insert a . d\n\navx2 finds the already existing a . d, which (due to 'flush set') is marked\nas invalid in the new generation.  It skips the element and moves to next.\n\nDue to incorrect masking, the skip-step finds the next matching\nelement *only considering the first field*,\n\ni.e. we return the already reinserted \"a . b\", even though the\nlast field is different and the entry should not have been matched.\n\nNo such error is reported for the generic c implementation (no avx2) or when\nthe last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.\n\nBisection points to\n7711f4bb4b36 (\"netfilter: nft_set_pipapo: fix range overlap detection\")\nbut that fix merely uncovers this bug.\n\nBefore this commit, the wrong element is returned, but erronously\nreported as a full, identical duplicate.\n\nThe root-cause is too early return in the avx2 match functions.\nWhen we process the last field, we should continue to process data\nuntil the entire input size has been consumed to make sure no stale\nbits remain in the map.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-06 10:16:25","updated_at":"2026-05-08 17:54:04"},"problem_types":["NVD-CWE-noinfo"],"metrics":[{"version":"3.1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","score":"9.4","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","baseScore":9.4,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"9.4","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","data":{"baseScore":9.4,"baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","version":"3.1"}}],"references":[{"url":"https://git.kernel.org/stable/c/d3c0037ffe1273fa1961e779ff6906234d6cf53c","name":"https://git.kernel.org/stable/c/d3c0037ffe1273fa1961e779ff6906234d6cf53c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/fa4f1f52528c73989d820f32bfca06bec5afeece","name":"https://git.kernel.org/stable/c/fa4f1f52528c73989d820f32bfca06bec5afeece","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0abbc43f71d99baadeeba6fa3fe1c80b676f57ed","name":"https://git.kernel.org/stable/c/0abbc43f71d99baadeeba6fa3fe1c80b676f57ed","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/3d53f9aafd469ae1ea27051e00f5b96ca1b55d52","name":"https://git.kernel.org/stable/c/3d53f9aafd469ae1ea27051e00f5b96ca1b55d52","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/07de44424bb7f17ef9357e8535df96d9e97c40cb","name":"https://git.kernel.org/stable/c/07de44424bb7f17ef9357e8535df96d9e97c40cb","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43114","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43114","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7400b063969bdca4a06cd97f1294d765c8eecbe1 fa4f1f52528c73989d820f32bfca06bec5afeece git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7400b063969bdca4a06cd97f1294d765c8eecbe1 3d53f9aafd469ae1ea27051e00f5b96ca1b55d52 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7400b063969bdca4a06cd97f1294d765c8eecbe1 07de44424bb7f17ef9357e8535df96d9e97c40cb git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7400b063969bdca4a06cd97f1294d765c8eecbe1 0abbc43f71d99baadeeba6fa3fe1c80b676f57ed git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7400b063969bdca4a06cd97f1294d765c8eecbe1 d3c0037ffe1273fa1961e779ff6906234d6cf53c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.7","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.7 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.136 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.83 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.24 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.14 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"43114","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"43114","cve":"CVE-2026-43114","epss":"0.000430000","percentile":"0.132400000","score_date":"2026-05-09","updated_at":"2026-05-10 00:03:04"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/netfilter/nft_set_pipapo_avx2.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"fa4f1f52528c73989d820f32bfca06bec5afeece","status":"affected","version":"7400b063969bdca4a06cd97f1294d765c8eecbe1","versionType":"git"},{"lessThan":"3d53f9aafd469ae1ea27051e00f5b96ca1b55d52","status":"affected","version":"7400b063969bdca4a06cd97f1294d765c8eecbe1","versionType":"git"},{"lessThan":"07de44424bb7f17ef9357e8535df96d9e97c40cb","status":"affected","version":"7400b063969bdca4a06cd97f1294d765c8eecbe1","versionType":"git"},{"lessThan":"0abbc43f71d99baadeeba6fa3fe1c80b676f57ed","status":"affected","version":"7400b063969bdca4a06cd97f1294d765c8eecbe1","versionType":"git"},{"lessThan":"d3c0037ffe1273fa1961e779ff6906234d6cf53c","status":"affected","version":"7400b063969bdca4a06cd97f1294d765c8eecbe1","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/netfilter/nft_set_pipapo_avx2.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.7"},{"lessThan":"5.7","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.136","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.83","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.24","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.14","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.136","versionStartIncluding":"5.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.83","versionStartIncluding":"5.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.24","versionStartIncluding":"5.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.14","versionStartIncluding":"5.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"5.7","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry\n\nNew test case fails unexpectedly when avx2 matching functions are used.\n\nThe test first loads a ranomly generated pipapo set\nwith 'ipv4 . port' key, i.e.  nft -f foo.\n\nThis works.  Then, it reloads the set after a flush:\n(echo flush set t s; cat foo) | nft -f -\n\nThis is expected to work, because its the same set after all and it was\nalready loaded once.\n\nBut with avx2, this fails: nft reports a clashing element.\n\nThe reported clash is of following form:\n\n    We successfully re-inserted\n      a . b\n      c . d\n\nThen we try to insert a . d\n\navx2 finds the already existing a . d, which (due to 'flush set') is marked\nas invalid in the new generation.  It skips the element and moves to next.\n\nDue to incorrect masking, the skip-step finds the next matching\nelement *only considering the first field*,\n\ni.e. we return the already reinserted \"a . b\", even though the\nlast field is different and the entry should not have been matched.\n\nNo such error is reported for the generic c implementation (no avx2) or when\nthe last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.\n\nBisection points to\n7711f4bb4b36 (\"netfilter: nft_set_pipapo: fix range overlap detection\")\nbut that fix merely uncovers this bug.\n\nBefore this commit, the wrong element is returned, but erronously\nreported as a full, identical duplicate.\n\nThe root-cause is too early return in the avx2 match functions.\nWhen we process the last field, we should continue to process data\nuntil the entire input size has been consumed to make sure no stale\nbits remain in the map."}],"metrics":[{"cvssV3_1":{"baseScore":9.4,"baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","version":"3.1"}}],"providerMetadata":{"dateUpdated":"2026-05-08T12:40:39.582Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/fa4f1f52528c73989d820f32bfca06bec5afeece"},{"url":"https://git.kernel.org/stable/c/3d53f9aafd469ae1ea27051e00f5b96ca1b55d52"},{"url":"https://git.kernel.org/stable/c/07de44424bb7f17ef9357e8535df96d9e97c40cb"},{"url":"https://git.kernel.org/stable/c/0abbc43f71d99baadeeba6fa3fe1c80b676f57ed"},{"url":"https://git.kernel.org/stable/c/d3c0037ffe1273fa1961e779ff6906234d6cf53c"}],"title":"netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43114","datePublished":"2026-05-06T07:40:39.877Z","dateReserved":"2026-05-01T14:12:55.986Z","dateUpdated":"2026-05-08T12:40:39.582Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-06 10:16:25","lastModifiedDate":"2026-05-08 17:54:04","problem_types":["NVD-CWE-noinfo"],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","baseScore":9.4,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":5.5}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.6.136","matchCriteriaId":"BC0C578E-B609-43BE-90EB-06C9FE9CA83D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43114","Ordinal":"1","Title":"netfilter: nft_set_pipapo_avx2: don't return non-matching entry ","CVE":"CVE-2026-43114","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43114","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry\n\nNew test case fails unexpectedly when avx2 matching functions are used.\n\nThe test first loads a ranomly generated pipapo set\nwith 'ipv4 . port' key, i.e.  nft -f foo.\n\nThis works.  Then, it reloads the set after a flush:\n(echo flush set t s; cat foo) | nft -f -\n\nThis is expected to work, because its the same set after all and it was\nalready loaded once.\n\nBut with avx2, this fails: nft reports a clashing element.\n\nThe reported clash is of following form:\n\n    We successfully re-inserted\n      a . b\n      c . d\n\nThen we try to insert a . d\n\navx2 finds the already existing a . d, which (due to 'flush set') is marked\nas invalid in the new generation.  It skips the element and moves to next.\n\nDue to incorrect masking, the skip-step finds the next matching\nelement *only considering the first field*,\n\ni.e. we return the already reinserted \"a . b\", even though the\nlast field is different and the entry should not have been matched.\n\nNo such error is reported for the generic c implementation (no avx2) or when\nthe last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.\n\nBisection points to\n7711f4bb4b36 (\"netfilter: nft_set_pipapo: fix range overlap detection\")\nbut that fix merely uncovers this bug.\n\nBefore this commit, the wrong element is returned, but erronously\nreported as a full, identical duplicate.\n\nThe root-cause is too early return in the avx2 match functions.\nWhen we process the last field, we should continue to process data\nuntil the entire input size has been consumed to make sure no stale\nbits remain in the map.","Type":"Description","Title":"netfilter: nft_set_pipapo_avx2: don't return non-matching entry "}]}}}