CVE-2026-43025: Linux Kernel Buffer Overflow Vulnerability

CVE-2026-43025 Overview

CVE-2026-43025 is an out-of-bounds read vulnerability in the Linux kernel's netfilter ctnetlink subsystem. The flaw resides in the connection tracking expectation handling code, specifically in nf_ct_expect_related_report(). When userspace creates a new conntrack expectation via netlink and supplies an explicit helper through CTA_EXPECT_HELP_NAME that differs from the master conntrack helper, the kernel validates CTA_EXPECT_CLASS against the wrong helper. This mismatch causes the kernel to read memory beyond the bounds of the expectation structure, leaking kernel memory contents.

Critical Impact

A local user with CAP_NET_ADMIN in any user namespace can trigger a slab out-of-bounds read in the kernel, leading to information disclosure and potential system instability.

Affected Products

• Linux kernel netfilter connection tracking netlink interface (ctnetlink)
• Multiple stable Linux kernel branches that include the nf_ct_expect_related_report expectation path
• Any distribution kernel built from the affected upstream sources prior to the listed fix commits

Discovery Timeline

• 2026-05-01 - CVE-2026-43025 published to NVD
• 2026-05-03 - Last updated in NVD database

Technical Details for CVE-2026-43025

Vulnerability Analysis

The vulnerability lives in the ctnetlink_create_expect() and ctnetlink_new_expect() paths inside net/netfilter/nf_conntrack_netlink.c. When a userspace process sends a netlink message to create a new conntrack expectation, it can include CTA_EXPECT_HELP_NAME to specify a connection tracking helper such as FTP, SIP, or PPTP. The kernel previously honored this user-supplied helper when validating the expectation class via CTA_EXPECT_CLASS.

The issue surfaces when the helper provided by userspace differs from the helper already attached to the master conntrack entry. The expect_class_max field used to validate the class index belongs to the master conntrack's helper, while the validation code dereferences fields based on the userspace-supplied helper. This mismatch allows reads past the end of the expectation structure, as confirmed by the KASAN report showing a 4-byte slab-out-of-bounds read in nf_ct_expect_related_report+0x2479/0x27c0.

Root Cause

The root cause is improper input validation [CWE-20] combined with an out-of-bounds read [CWE-125]. The kernel trusts the userspace-supplied helper for class validation rather than enforcing the master conntrack's existing helper. The upstream fix removes this trust boundary entirely. The patch makes ctnetlink ignore any explicit helper supplied through CTA_EXPECT_HELP_NAME for new expectations and uses only the existing master conntrack helper. The attribute is retained for netlink dump output to userspace but no longer drives kernel-side validation.

Attack Vector

Exploitation requires local access and the CAP_NET_ADMIN capability, which is available within unprivileged user namespaces on many distributions. An attacker crafts a netlink message to nfnetlink requesting creation of a new conntrack expectation. The message specifies a CTA_EXPECT_HELP_NAME that differs from the helper bound to the master conntrack and includes a CTA_EXPECT_CLASS value crafted to read beyond the helper's expected class array. The resulting out-of-bounds read can disclose adjacent slab memory and may trigger a kernel oops under KASAN or hardened configurations. See the upstream commit 917b61fa2042 for the full code path.

Detection Methods for CVE-2026-43025

Indicators of Compromise

• KASAN reports referencing nf_ct_expect_related_report, ctnetlink_create_expect, or ctnetlink_new_expect in kernel logs
• Unexpected nfnetlink_rcv_msg activity from non-administrative user sessions or container workloads
• Kernel oops or panic entries in dmesg correlated with netlink traffic from unprivileged processes

Detection Strategies

• Audit kernel versions on Linux endpoints and servers and compare against the fixed commits referenced in the upstream stable tree
• Enable kernel auditd rules for netlink socket creation and capability use of CAP_NET_ADMIN from non-root processes or containers
• Inspect container runtime configurations to identify workloads granted CAP_NET_ADMIN or running with unprivileged user namespaces enabled

Monitoring Recommendations

• Forward dmesg and /var/log/kern.log to a centralized logging platform and alert on KASAN slab-out-of-bounds signatures
• Monitor process telemetry for unusual nfnetlink socket usage by non-administrative users or sandboxed processes
• Track kernel version drift across the fleet to confirm patch deployment progress

How to Mitigate CVE-2026-43025

Immediate Actions Required

• Apply the latest stable Linux kernel update from your distribution that includes the upstream fix commits listed in the NVD references
• Restrict CAP_NET_ADMIN in containerized workloads and disable unprivileged user namespaces where they are not required (kernel.unprivileged_userns_clone=0 on supported distributions)
• Audit and remove unnecessary access to the nfnetlink interface for non-administrative users and services

Patch Information

The upstream Linux kernel maintainers resolved CVE-2026-43025 across multiple stable branches. Relevant fix commits include 0f6c33697ccf, 187b6ec5229e, 21a04c31db40, 2ea0f35f235f, 917b61fa2042, and e135f8e8212c. Update to a distribution kernel that incorporates these commits.

Workarounds

• Disable unprivileged user namespaces to prevent low-privilege users from acquiring CAP_NET_ADMIN
• Block or restrict access to the NFNL_SUBSYS_CTNETLINK_EXP netlink subsystem through SELinux or AppArmor policy where feasible
• Run untrusted workloads inside containers configured without CAP_NET_ADMIN and with seccomp profiles that deny socket(AF_NETLINK, ...) for NETLINK_NETFILTER

# Configuration example: disable unprivileged user namespaces
sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' >> /etc/sysctl.d/99-harden.conf

# Verify running kernel version against fixed releases
uname -r