CVE-2026-43084 Overview
CVE-2026-43084 is a use-after-free vulnerability in the Linux kernel's nfnetlink_queue netfilter subsystem. The flaw stems from sharing a global hash table across all queues, allowing a parallel CPU to encounter an nf_queue_entry structure that has already been released via kfree. KASAN reports the issue as a slab-use-after-free triggered through nfqnl_recv_verdict. The kernel maintainers resolved the issue by making the hash table per-queue rather than global. Multiple stable kernel branches received fixes through commits 22730cb, 41e3652, 936206e, and 9e5ebef.
Critical Impact
Use-after-free conditions in kernel netfilter code can lead to memory corruption, kernel panic, or local privilege escalation depending on heap layout and exploitation primitives.
Affected Products
- Linux kernel versions including the nfnetlink_queue netfilter module prior to the listed stable commits
- Distributions shipping vulnerable upstream kernels with CONFIG_NETFILTER_NETLINK_QUEUE enabled
- Systems using userspace queueing for packet inspection (for example, NFQUEUE-based IDS/IPS frameworks)
Discovery Timeline
- 2026-05-06 - CVE-2026-43084 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43084
Vulnerability Analysis
The nfnetlink_queue subsystem queues network packets to userspace for verdict decisions. Each queued packet is tracked through an nf_queue_entry structure stored in a hash table. The pre-patch implementation shared one global hash table across all queues. When a verdict arrived through nfqnl_recv_verdict, the kernel walked this shared structure to locate the matching entry.
The race condition arises when one CPU frees an nf_queue_entry via kfree while another CPU is still traversing the global list. The freed memory remains reachable through the hash, producing a slab-use-after-free condition. KASAN flagged the issue inside nfqnl_recv_verdict+0x11ac/0x15e0 during normal verdict processing.
Root Cause
The root cause is improper synchronization of object lifetime against concurrent readers in a shared data structure. Memory is released using kfree rather than a deferred mechanism such as kfree_rcu, but readers walking the hash do not hold references that prevent the free. Because the same hash table services every queue, the contention surface scales with the number of active queues.
Attack Vector
A local attacker with the ability to create netfilter queues and submit verdicts can race verdict processing against entry teardown. Triggering the race requires concurrent operations against nfnetlink_queue from multiple CPUs. Successful exploitation corrupts kernel slab memory, with potential outcomes ranging from denial of service through kernel panic to memory corruption useful for privilege escalation.
No public exploit code is available. See the upstream fix in Kernel Git Commit 22730cb for the structural change that converts the hash table to per-queue allocation.
Detection Methods for CVE-2026-43084
Indicators of Compromise
- KASAN reports referencing slab-use-after-free in nfqnl_recv_verdict in kernel logs or dmesg output
- Unexpected kernel panics or oops messages originating from the nfnetlink_queue module
- Crash signatures including the call path nfnetlink_rcv_msg followed by nfqnl_recv_verdict
Detection Strategies
- Audit running kernel versions against the patched stable commits 22730cb, 41e3652, 936206e, and 9e5ebef
- Monitor for unprivileged or container workloads that hold CAP_NET_ADMIN and interact with NFQUEUE targets
- Correlate kernel ring buffer crashes with workloads using userspace packet queueing frameworks
Monitoring Recommendations
- Forward dmesg and /var/log/kern.log to a central logging pipeline and alert on KASAN or oops signatures
- Track loaded kernel modules and flag hosts where nfnetlink_queue is active on unpatched kernels
- Establish baseline crash rates for netfilter components and investigate deviations
How to Mitigate CVE-2026-43084
Immediate Actions Required
- Apply the upstream stable kernel updates that include the per-queue hash table fix and reboot affected hosts
- Inventory systems using NFQUEUE and prioritize patching for multi-tenant or container hosts where local users can trigger the race
- Restrict CAP_NET_ADMIN to trusted processes to limit who can create netfilter queues
Patch Information
The fix converts the global hash table to a per-queue structure, eliminating cross-queue lifetime conflicts. Apply the kernel update containing the relevant commit for your stable branch: Kernel Git Commit 22730cb, Kernel Git Commit 41e3652, Kernel Git Commit 936206e, or Kernel Git Commit 9e5ebef.
Workarounds
- Unload the nfnetlink_queue module on systems that do not require userspace packet queueing
- Disable CONFIG_NETFILTER_NETLINK_QUEUE in custom kernel builds where the feature is unused
- Remove NFQUEUE rules from active iptables, nftables, or ebtables configurations until patches are deployed
# Configuration example
# Check if nfnetlink_queue is loaded
lsmod | grep nfnetlink_queue
# Unload the module if no NFQUEUE rules are active
sudo modprobe -r nfnetlink_queue
# Blacklist the module to prevent autoload
echo 'blacklist nfnetlink_queue' | sudo tee /etc/modprobe.d/blacklist-nfqueue.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
