CVE-2026-43024 Overview
CVE-2026-43024 is a Linux kernel vulnerability in the netfilter subsystem, specifically within nf_tables. The flaw involves the handling of immediate NF_QUEUE verdicts emitted directly from rules. The userspace nft tooling never emits an immediate NF_QUEUE verdict, yet the kernel previously accepted them. The arp family does not provide queue support, but an immediate NF_QUEUE verdict remained reachable through this path. The kernel patch globally rejects immediate NF_QUEUE verdicts to close this inconsistent state.
Critical Impact
An immediate NF_QUEUE verdict reaching a netfilter family without queue support, such as arp, can trigger unexpected kernel behavior in nf_tables packet handling.
Affected Products
- Linux kernel nf_tables netfilter subsystem
- Multiple stable kernel branches receiving the backported fix
- Systems using nftables rulesets that include immediate verdicts
Discovery Timeline
- 2026-05-01 - CVE-2026-43024 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-43024
Vulnerability Analysis
The vulnerability resides in the Linux kernel netfilternf_tables framework. nft_queue is the expression that delivers packets to userspace via the NF_QUEUE verdict. Userspace nftables always uses nft_queue to issue this verdict. The kernel additionally accepts an immediate verdict carrying NF_QUEUE directly from a rule, even though no userspace tool emits this construction.
The issue becomes consequential in the arp family. The arp netfilter family does not implement queue handling. Despite this, an attacker or misconfigured ruleset crafting an immediate NF_QUEUE verdict could reach a code path that the family does not support. This represents a kernel-level input validation gap [CWE-20] in verdict acceptance.
The upstream fix globally rejects immediate NF_QUEUE verdicts during rule loading, regardless of the family. This eliminates the inconsistent state where the kernel accepted a verdict it could not safely service.
Root Cause
The root cause is missing validation in the immediate verdict acceptance path of nf_tables. The kernel did not reject NF_QUEUE verdicts emitted via nft_immediate, even for families lacking queue support. The fix introduces a check that returns an error when an immediate verdict carries NF_QUEUE.
Attack Vector
An entity capable of loading nf_tables rulesets, typically requiring CAP_NET_ADMIN within a network namespace, could construct a ruleset using an immediate NF_QUEUE verdict in the arp family or similar unsupported context. Local unprivileged users do not have direct access to this interface without namespace privileges. The vulnerability is not network-reachable.
The vulnerability manifests through the nft_immediate expression accepting NF_QUEUE as a verdict value. See the kernel commits referenced below for the validation logic added during remediation.
Detection Methods for CVE-2026-43024
Indicators of Compromise
- Kernel logs showing unexpected nf_tables errors or warnings during ruleset loading
- Audit events for nftables rule installation by non-administrative processes
- Loading of nf_tables rules with immediate verdicts referencing queue numbers in the arp family
Detection Strategies
- Inventory running kernel versions across the fleet and compare against fixed stable releases referenced by the kernel.org commits
- Audit nftables rulesets in production for immediate NF_QUEUE verdicts using nft list ruleset
- Monitor for processes invoking nft or the NETLINK_NETFILTER socket family from unexpected user contexts
Monitoring Recommendations
- Enable kernel auditing on netlink rule changes via auditd rules targeting NETLINK_NETFILTER
- Track creation of new network namespaces with CAP_NET_ADMIN granted to container workloads
- Centralize kernel dmesg output and netfilter subsystem messages for review
How to Mitigate CVE-2026-43024
Immediate Actions Required
- Apply vendor-provided kernel updates that include the netfilter nf_tables immediate NF_QUEUE verdict rejection patch
- Identify any rulesets that rely on immediate NF_QUEUE verdicts and migrate them to use nft_queue syntax
- Restrict CAP_NET_ADMIN and unprivileged user namespace access where not required
Patch Information
The fix has been merged into multiple stable kernel branches. Reference commits include 17dc5d5a935c, 2f7f825a548b, 42a47f4b1b76, 4b12a3cc3f07, 68390437a998, da107398cbd4, f140593901724, and f710691be163. Apply distribution kernel updates that incorporate these commits.
Workarounds
- Disable or unload the nf_tables module on systems that do not require it using modprobe -r nf_tables
- Restrict creation of unprivileged user namespaces by setting kernel.unprivileged_userns_clone=0 where supported
- Audit and remove any custom rulesets that emit immediate NF_QUEUE verdicts pending kernel patch deployment
# Disable unprivileged user namespaces to limit nf_tables ruleset loading
sysctl -w kernel.unprivileged_userns_clone=0
# Verify current kernel version against fixed stable releases
uname -r
# Inspect existing nftables rulesets for immediate queue verdicts
nft list ruleset | grep -i queue
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
