{"api_version":"1","generated_at":"2026-05-13T08:26:27+00:00","cve":"CVE-2026-43450","urls":{"html":"https://cve.report/CVE-2026-43450","api":"https://cve.report/api/cve/CVE-2026-43450.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43450","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43450"},"summary":{"title":"netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()\n\nnfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label\ninside the for loop body.  When the \"last\" helper saved in cb->args[1]\nis deleted between dump rounds, every entry fails the (cur != last)\ncheck, so cb->args[1] is never cleared.  The for loop finishes with\ncb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back\ninto the loop body bypassing the bounds check, causing an 8-byte\nout-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize].\n\nThe 'goto restart' block was meant to re-traverse the current bucket\nwhen \"last\" is no longer found, but it was placed after the for loop\ninstead of inside it.  Move the block into the for loop body so that\nthe restart only occurs while cb->args[0] is still within bounds.\n\n BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0\n Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131\n Call Trace:\n  nfnl_cthelper_dump_table+0x9f/0x1b0\n  netlink_dump+0x333/0x880\n  netlink_recvmsg+0x3e2/0x4b0\n  sock_recvmsg+0xde/0xf0\n  __sys_recvfrom+0x150/0x200\n  __x64_sys_recvfrom+0x76/0x90\n  do_syscall_64+0xc3/0x6e0\n\n Allocated by task 1:\n  __kvmalloc_node_noprof+0x21b/0x700\n  nf_ct_alloc_hashtable+0x65/0xd0\n  nf_conntrack_helper_init+0x21/0x60\n  nf_conntrack_init_start+0x18d/0x300\n  nf_conntrack_standalone_init+0x12/0xc0","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-08 15:16:57","updated_at":"2026-05-12 14:10:27"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/92441f6d9405a0c18d03f278b395e782f79a4a30","name":"https://git.kernel.org/stable/c/92441f6d9405a0c18d03f278b395e782f79a4a30","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/6dcee8496d53165b2d8a5909b3050b62ae71fe89","name":"https://git.kernel.org/stable/c/6dcee8496d53165b2d8a5909b3050b62ae71fe89","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/61b3a1f8621df1a5928118313f133996f6a786db","name":"https://git.kernel.org/stable/c/61b3a1f8621df1a5928118313f133996f6a786db","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/4a1f6ee69267a5f524102c028981410eeacfa3da","name":"https://git.kernel.org/stable/c/4a1f6ee69267a5f524102c028981410eeacfa3da","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/3cc328ffc32ddb389cba7b78b6aa95d995c2876e","name":"https://git.kernel.org/stable/c/3cc328ffc32ddb389cba7b78b6aa95d995c2876e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0605e1985a95d4334a67869aee45a47e82301abf","name":"https://git.kernel.org/stable/c/0605e1985a95d4334a67869aee45a47e82301abf","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/05018cd9370f77bb18fbf6e15ff33c7a06f10b3c","name":"https://git.kernel.org/stable/c/05018cd9370f77bb18fbf6e15ff33c7a06f10b3c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/894c5780ddadd5fde0e16f66587918e6be1504c4","name":"https://git.kernel.org/stable/c/894c5780ddadd5fde0e16f66587918e6be1504c4","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43450","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43450","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 12f7a505331e6b2754684b509f2ac8f0011ce644 0605e1985a95d4334a67869aee45a47e82301abf git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 12f7a505331e6b2754684b509f2ac8f0011ce644 92441f6d9405a0c18d03f278b395e782f79a4a30 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 12f7a505331e6b2754684b509f2ac8f0011ce644 3cc328ffc32ddb389cba7b78b6aa95d995c2876e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 12f7a505331e6b2754684b509f2ac8f0011ce644 4a1f6ee69267a5f524102c028981410eeacfa3da git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 12f7a505331e6b2754684b509f2ac8f0011ce644 894c5780ddadd5fde0e16f66587918e6be1504c4 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 12f7a505331e6b2754684b509f2ac8f0011ce644 05018cd9370f77bb18fbf6e15ff33c7a06f10b3c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 12f7a505331e6b2754684b509f2ac8f0011ce644 61b3a1f8621df1a5928118313f133996f6a786db git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 12f7a505331e6b2754684b509f2ac8f0011ce644 6dcee8496d53165b2d8a5909b3050b62ae71fe89 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3.6","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 3.6 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.253 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.203 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.167 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.130 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.78 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.19 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.9 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"43450","cve":"CVE-2026-43450","epss":"0.000240000","percentile":"0.070360000","score_date":"2026-05-12","updated_at":"2026-05-13 00:11:53"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/netfilter/nfnetlink_cthelper.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"0605e1985a95d4334a67869aee45a47e82301abf","status":"affected","version":"12f7a505331e6b2754684b509f2ac8f0011ce644","versionType":"git"},{"lessThan":"92441f6d9405a0c18d03f278b395e782f79a4a30","status":"affected","version":"12f7a505331e6b2754684b509f2ac8f0011ce644","versionType":"git"},{"lessThan":"3cc328ffc32ddb389cba7b78b6aa95d995c2876e","status":"affected","version":"12f7a505331e6b2754684b509f2ac8f0011ce644","versionType":"git"},{"lessThan":"4a1f6ee69267a5f524102c028981410eeacfa3da","status":"affected","version":"12f7a505331e6b2754684b509f2ac8f0011ce644","versionType":"git"},{"lessThan":"894c5780ddadd5fde0e16f66587918e6be1504c4","status":"affected","version":"12f7a505331e6b2754684b509f2ac8f0011ce644","versionType":"git"},{"lessThan":"05018cd9370f77bb18fbf6e15ff33c7a06f10b3c","status":"affected","version":"12f7a505331e6b2754684b509f2ac8f0011ce644","versionType":"git"},{"lessThan":"61b3a1f8621df1a5928118313f133996f6a786db","status":"affected","version":"12f7a505331e6b2754684b509f2ac8f0011ce644","versionType":"git"},{"lessThan":"6dcee8496d53165b2d8a5909b3050b62ae71fe89","status":"affected","version":"12f7a505331e6b2754684b509f2ac8f0011ce644","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/netfilter/nfnetlink_cthelper.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"3.6"},{"lessThan":"3.6","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.253","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.203","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.167","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.130","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.78","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.19","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.9","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.253","versionStartIncluding":"3.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.203","versionStartIncluding":"3.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.167","versionStartIncluding":"3.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.130","versionStartIncluding":"3.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.78","versionStartIncluding":"3.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.19","versionStartIncluding":"3.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.9","versionStartIncluding":"3.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"3.6","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()\n\nnfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label\ninside the for loop body.  When the \"last\" helper saved in cb->args[1]\nis deleted between dump rounds, every entry fails the (cur != last)\ncheck, so cb->args[1] is never cleared.  The for loop finishes with\ncb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back\ninto the loop body bypassing the bounds check, causing an 8-byte\nout-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize].\n\nThe 'goto restart' block was meant to re-traverse the current bucket\nwhen \"last\" is no longer found, but it was placed after the for loop\ninstead of inside it.  Move the block into the for loop body so that\nthe restart only occurs while cb->args[0] is still within bounds.\n\n BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0\n Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131\n Call Trace:\n  nfnl_cthelper_dump_table+0x9f/0x1b0\n  netlink_dump+0x333/0x880\n  netlink_recvmsg+0x3e2/0x4b0\n  sock_recvmsg+0xde/0xf0\n  __sys_recvfrom+0x150/0x200\n  __x64_sys_recvfrom+0x76/0x90\n  do_syscall_64+0xc3/0x6e0\n\n Allocated by task 1:\n  __kvmalloc_node_noprof+0x21b/0x700\n  nf_ct_alloc_hashtable+0x65/0xd0\n  nf_conntrack_helper_init+0x21/0x60\n  nf_conntrack_init_start+0x18d/0x300\n  nf_conntrack_standalone_init+0x12/0xc0"}],"providerMetadata":{"dateUpdated":"2026-05-11T22:24:49.527Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/0605e1985a95d4334a67869aee45a47e82301abf"},{"url":"https://git.kernel.org/stable/c/92441f6d9405a0c18d03f278b395e782f79a4a30"},{"url":"https://git.kernel.org/stable/c/3cc328ffc32ddb389cba7b78b6aa95d995c2876e"},{"url":"https://git.kernel.org/stable/c/4a1f6ee69267a5f524102c028981410eeacfa3da"},{"url":"https://git.kernel.org/stable/c/894c5780ddadd5fde0e16f66587918e6be1504c4"},{"url":"https://git.kernel.org/stable/c/05018cd9370f77bb18fbf6e15ff33c7a06f10b3c"},{"url":"https://git.kernel.org/stable/c/61b3a1f8621df1a5928118313f133996f6a786db"},{"url":"https://git.kernel.org/stable/c/6dcee8496d53165b2d8a5909b3050b62ae71fe89"}],"title":"netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43450","datePublished":"2026-05-08T14:22:15.915Z","dateReserved":"2026-05-01T14:12:56.010Z","dateUpdated":"2026-05-11T22:24:49.527Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-08 15:16:57","lastModifiedDate":"2026-05-12 14:10:27","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43450","Ordinal":"1","Title":"netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dum","CVE":"CVE-2026-43450","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43450","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()\n\nnfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label\ninside the for loop body.  When the \"last\" helper saved in cb->args[1]\nis deleted between dump rounds, every entry fails the (cur != last)\ncheck, so cb->args[1] is never cleared.  The for loop finishes with\ncb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back\ninto the loop body bypassing the bounds check, causing an 8-byte\nout-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize].\n\nThe 'goto restart' block was meant to re-traverse the current bucket\nwhen \"last\" is no longer found, but it was placed after the for loop\ninstead of inside it.  Move the block into the for loop body so that\nthe restart only occurs while cb->args[0] is still within bounds.\n\n BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0\n Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131\n Call Trace:\n  nfnl_cthelper_dump_table+0x9f/0x1b0\n  netlink_dump+0x333/0x880\n  netlink_recvmsg+0x3e2/0x4b0\n  sock_recvmsg+0xde/0xf0\n  __sys_recvfrom+0x150/0x200\n  __x64_sys_recvfrom+0x76/0x90\n  do_syscall_64+0xc3/0x6e0\n\n Allocated by task 1:\n  __kvmalloc_node_noprof+0x21b/0x700\n  nf_ct_alloc_hashtable+0x65/0xd0\n  nf_conntrack_helper_init+0x21/0x60\n  nf_conntrack_init_start+0x18d/0x300\n  nf_conntrack_standalone_init+0x12/0xc0","Type":"Description","Title":"netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dum"}]}}}