CVE-2026-43027 Overview
CVE-2026-43027 is a use-after-free vulnerability in the Linux kernel's netfilter nf_conntrack_helper subsystem. The flaw resides in nf_conntrack_helper_unregister(), which calls nf_ct_expect_iterate_destroy() to remove expectations belonging to a helper being unregistered. The function passes NULL instead of the helper pointer as the data argument, so expect_iter_me() never matches any expectation. As a result, expectations referencing the helper survive the cleanup. After nfnl_cthelper_del() frees the helper object, subsequent expectation dumps or init_conntrack() calls dereference the freed exp->helper, triggering a use-after-free condition detected by KASAN.
Critical Impact
Local attackers can trigger a kernel use-after-free by reading conntrack expectation data after a helper unregistration, leading to potential memory corruption or privilege escalation.
Affected Products
- Linux kernel (multiple stable branches affected per kernel.org commits)
- Distributions shipping kernels with the netfilter nf_conntrack_helper subsystem
- Systems using nfnetlink_cthelper for user-space conntrack helper registration
Discovery Timeline
- 2026-05-01 - CVE-2026-43027 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-43027
Vulnerability Analysis
The vulnerability is a use-after-free [CWE-416] in the Linux kernel's connection tracking helper infrastructure. When a conntrack helper is unregistered, the kernel must remove any pending expectations that reference it. The cleanup logic invokes nf_ct_expect_iterate_destroy() with a callback expect_iter_me() that compares each expectation's helper pointer against a supplied data argument.
The defect is that nf_conntrack_helper_unregister() passes NULL rather than the helper pointer being unregistered. The match function therefore never identifies any expectation as belonging to the helper, and every expectation survives. Control then returns to nfnl_cthelper_del(), which proceeds to free the helper object via kfree.
Any later access to the orphaned expectations dereferences a dangling exp->helper pointer. The KASAN report shows the read occurring inside string() during seq_printf(), called from exp_seq_show() when reading /proc/net/nf_conntrack_expect. Packet processing paths reaching init_conntrack() can also trigger the same dereference.
Root Cause
The root cause is an incorrect argument passed to a callback-based iteration function. The expect_iter_me() predicate requires the helper pointer for comparison, but the caller supplied NULL, defeating the cleanup logic entirely. This is a logic bug rather than a memory boundary error, but its consequence is a stale pointer accessible after free.
Attack Vector
A local attacker with the ability to register and unregister conntrack helpers via nfnetlink_cthelper can stage the use-after-free. After triggering a helper unregistration with active expectations, the attacker reads /proc/net/nf_conntrack_expect or sends traffic that invokes init_conntrack(). The kernel then dereferences the freed helper structure, producing memory corruption suitable for further exploitation.
The vulnerability mechanism is described in detail in the upstream patches. See the kernel.org commit fixing the helper pointer for the exact code change.
Detection Methods for CVE-2026-43027
Indicators of Compromise
- KASAN slab-use-after-free reports referencing string+0x38f/0x430, vsnprintf, seq_printf, or exp_seq_show in kernel logs
- Unexpected kernel oops or panic traces originating from init_conntrack() after cthelper unregistration
- Unprivileged or container processes invoking nfnetlink_cthelper to register and remove helpers in rapid succession
Detection Strategies
- Monitor kernel ring buffer (dmesg) for KASAN reports tagged slab-use-after-free involving conntrack expectation paths
- Audit usage of the NFNL_SUBSYS_CTHELPER netlink subsystem to identify processes registering or deleting conntrack helpers
- Track reads of /proc/net/nf_conntrack_expect correlated with prior helper deletion events
Monitoring Recommendations
- Enable KASAN on test kernels to surface use-after-free conditions during fuzzing or canary deployment
- Forward kernel logs to a centralized analytics platform and alert on BUG: KASAN and general protection fault patterns
- Review audit logs for the CAP_NET_ADMIN capability use within unprivileged containers or user namespaces
How to Mitigate CVE-2026-43027
Immediate Actions Required
- Apply the upstream Linux kernel patches that pass the actual helper pointer to nf_ct_expect_iterate_destroy() from your distribution
- Restrict CAP_NET_ADMIN and access to user namespaces for untrusted workloads to prevent local triggering
- Disable or unload the nfnetlink_cthelper module on systems that do not require user-space conntrack helpers
Patch Information
The fix is committed across multiple stable Linux kernel branches. Apply the vendor kernel update that incorporates the relevant commit, for example commit 2c16e4d6, commit 2cf2737c, commit 504ba416, commit 5cf28d5c, commit 620f3d14, commit 90bd7e85, commit a242a9ae, or commit dc1739ef. The fix passes the actual helper pointer so expectations referencing it are properly destroyed before the helper object is freed.
Workarounds
- Blacklist the nfnetlink_cthelper kernel module where conntrack helpers are not in use
- Deny CAP_NET_ADMIN to container workloads via seccomp, AppArmor, or SELinux policies
- Avoid exposing /proc/net/nf_conntrack_expect to unprivileged users in shared multi-tenant systems
# Configuration example: blacklist nfnetlink_cthelper module
echo 'blacklist nfnetlink_cthelper' | sudo tee /etc/modprobe.d/blacklist-cthelper.conf
sudo rmmod nfnetlink_cthelper 2>/dev/null || true
# Verify the module is not loaded
lsmod | grep nfnetlink_cthelper
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
