CVE-2026-43060 Overview
CVE-2026-43060 affects the Linux kernel netfilter subsystem, specifically the nft_ct connection tracking module. Packets queued in nfqueue can hold references to conntrack templates, timeout policies, and helper objects. When the associated module is removed, those objects can disappear while packets still reference them. The result is a stale reference that the kernel may dereference after the backing memory is gone.
The upstream fix drops pending enqueued packets when these objects are removed. This prevents the kernel from operating on freed conntrack state. The vulnerability was patched across multiple stable kernel branches.
Critical Impact
Stale references to conntrack templates and timeout policies may lead to use-after-free conditions in kernel context, with potential for memory corruption or denial of service.
Affected Products
- Linux kernel netfilter subsystem (nft_ct module)
- Conntrack template, timeout, and helper objects referenced from nfqueue
- Multiple stable kernel branches receiving backports per the upstream commits
Discovery Timeline
- 2026-05-05 - CVE-2026-43060 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43060
Vulnerability Analysis
The Linux kernel netfilter framework allows userspace to inspect packets through nfqueue. While packets are queued, they may carry references to kernel objects associated with the connection tracking subsystem. These include conntrack templates that specify a zone via a per-CPU area, conntrack timeout policies, and conntrack helpers.
The issue arises when the underlying module or object is removed while packets remain enqueued. Module removal frees the percpu area for templates. Removal of timeout policies or helpers similarly destroys the referenced objects. The queued packets are not synchronized against this removal, so the references they carry become stale.
When the kernel later processes a queued packet, dereferencing the stale pointer can read freed memory or trigger a use-after-free. This affects kernel stability and may be leveraged for further memory corruption.
Root Cause
The root cause is missing lifetime synchronization between nfqueue packet references and the conntrack objects they point to. The nft_ct code did not invalidate or drop queued packets when the backing objects were destroyed. The fix takes a coarse approach: drop all enqueued packets on object removal rather than tracking dependencies per packet.
Attack Vector
Exploitation requires the ability to influence conntrack template, timeout, or helper configuration and to cause packets to remain queued in nfqueue during removal. This typically requires privileged access to nftables and netfilter management. The CVE record does not include a CVSS vector, and no public exploit is reported.
No verified exploit code is available for CVE-2026-43060. Refer to the upstream commits, including Kernel Git Commit f29a055 and Kernel Git Commit 36eae09, for the patched logic.
Detection Methods for CVE-2026-43060
Indicators of Compromise
- Kernel oops or panic messages referencing nft_ct, nf_conntrack, or nfqueue call paths
- KASAN reports indicating use-after-free on conntrack template, timeout, or helper objects
- Unexpected unloads of nft_ct, nf_conntrack, or related netfilter modules on production hosts
Detection Strategies
- Monitor dmesg and /var/log/kern.log for crashes mentioning nf_ct_tmpl, nf_conntrack_helper, or nft_ct_get_eval
- Audit kernel package versions against distribution advisories that reference CVE-2026-43060
- Track loaded kernel modules and alert on runtime removal of conntrack-related modules in production
Monitoring Recommendations
- Centralize kernel logs and alert on stack traces involving netfilter and conntrack symbols
- Enable KASAN on test kernels to surface use-after-free conditions during validation
- Inventory hosts running custom nftables rulesets with ct expressions and prioritize them for patching
How to Mitigate CVE-2026-43060
Immediate Actions Required
- Apply the kernel update from your distribution that incorporates the upstream nft_ct fix
- Restrict CAP_NET_ADMIN to trusted administrators to limit who can manipulate netfilter state
- Avoid runtime removal of nft_ct, nf_conntrack, and related modules on production systems
Patch Information
The fix is delivered through multiple upstream commits backported across stable branches. Reference patches include Kernel Git Commit 36eae09, Kernel Git Commit 3da0b94, Kernel Git Commit 6802ff8, Kernel Git Commit 77da55d, Kernel Git Commit 8a64e76, Kernel Git Commit ab50302, Kernel Git Commit e68a8db, and Kernel Git Commit f29a055. The change drops pending enqueued packets when referenced conntrack objects are removed.
Workarounds
- Disable use of nfqueue in rulesets that combine ct expressions with templates, timeouts, or helpers until patched
- Restrict module loading and unloading on production hosts using kernel lockdown or modules_disabled
- Limit nftables ruleset modifications to trusted automation pipelines and review changes that touch conntrack zones, timeouts, or helpers
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
