CVE-2026-43085 Overview
CVE-2026-43085 is an information disclosure vulnerability in the Linux kernel's netfilter nfnetlink_log subsystem. The flaw resides in the __nfulnl_send() function, which appends an NLMSG_DONE terminator when batching multiple NFLOG messages. The terminator includes a struct nfgenmsg payload added via nlmsg_put(), but the payload bytes are never initialized before transmission to userspace.
The nlmsg_put() helper only zeroes alignment padding after the payload, leaving the payload itself populated with stale kernel heap data. As a result, four bytes of uninitialized kernel memory leak to userspace consumers of NFLOG netlink messages.
Critical Impact
Local users with access to NFLOG netlink sockets can receive four bytes of stale kernel heap memory in each batched NLMSG_DONE terminator, enabling kernel information disclosure that can aid further exploitation.
Affected Products
- Linux kernel netfilter subsystem (net/netfilter/nfnetlink_log.c)
- Linux stable kernel branches receiving the referenced backports
- Distributions packaging vulnerable kernel versions prior to the fix
Discovery Timeline
- 2026-05-06 - CVE-2026-43085 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43085
Vulnerability Analysis
The vulnerability is an uninitialized memory disclosure ([CWE-908]) in the netfilter logging path. When the NFLOG instance queue length inst->qlen exceeds 1, __nfulnl_send() batches multiple log messages into a single netlink buffer. To terminate the batch, the function appends an NLMSG_DONE message whose payload is sized to sizeof(struct nfgenmsg).
The terminator is constructed using the generic nlmsg_put() helper. This helper reserves space for the payload and zeroes only the alignment padding that follows it. The payload bytes themselves remain whatever the underlying skb buffer last contained, which is typically recycled kernel heap data.
Once the netlink message is delivered to a userspace listener, the four bytes corresponding to the uninitialized nfgenmsg structure expose kernel memory contents. While the leak is small per message, batched NFLOG traffic provides a steady stream of disclosed bytes that can reveal pointers, structure remnants, or other sensitive kernel state useful for bypassing KASLR or staging memory corruption exploits.
Root Cause
The root cause is the use of nlmsg_put() to construct a netlink header that requires a payload, without explicitly initializing that payload. The function contract zeroes alignment padding only. The fix replaces the call with nfnl_msg_put(), which internally invokes nfnl_fill_hdr() to populate the nfgenmsg fields, mirroring how __build_packet_message() already builds NFULNL_MSG_PACKET headers.
Attack Vector
Exploitation requires a local attacker capable of receiving NFLOG netlink messages, typically a process with CAP_NET_ADMIN or one running in a network namespace permitting netfilter configuration. The attacker configures iptables or nftables NFLOG targets to generate batched log traffic and reads the resulting netlink stream, parsing the NLMSG_DONE terminators to extract leaked bytes. The detailed patch behavior is documented in the kernel git commit history for the netfilter subsystem.
Detection Methods for CVE-2026-43085
Indicators of Compromise
- Unexpected userspace processes opening NETLINK_NETFILTER sockets and binding to NFLOG groups
- Processes with CAP_NET_ADMIN configuring iptables or nftables NFLOG targets outside of normal logging infrastructure
- High-volume NFLOG message consumption that does not correspond to legitimate log forwarders such as ulogd2
Detection Strategies
- Inventory running kernels with uname -r and compare against fixed stable releases referenced in the kernel git commits
- Audit netlink socket usage with ss -f netlink to identify processes attached to netfilter logging groups
- Review iptables and nftables rulesets for NFLOG targets configured by non-administrative tooling
Monitoring Recommendations
- Log and alert on audit events for setsockopt calls binding NETLINK_NETFILTER sockets to NFLOG multicast groups
- Track package manager events for kernel updates and verify reboot completion to confirm patched kernel is running
- Monitor for processes parsing raw netlink payloads outside of approved logging daemons
How to Mitigate CVE-2026-43085
Immediate Actions Required
- Apply the kernel update containing the nfnl_msg_put() fix from your distribution and reboot affected systems
- Restrict CAP_NET_ADMIN to trusted administrative accounts and avoid granting it to containerized workloads
- Disable NFLOG targets in iptables and nftables rules where logging is not required
Patch Information
The fix replaces nlmsg_put() with nfnl_msg_put() in __nfulnl_send() so that the nfgenmsg payload of the NLMSG_DONE terminator is fully initialized via nfnl_fill_hdr(). The patch is available across multiple stable branches in the Linux kernel git repository, with backports tracked in commits 15d209bc, 1f3083ae, 368c22ae, and d1399632.
Workarounds
- Remove or disable iptables and nftables rules that use the NFLOG target until the kernel patch is applied
- Drop the CAP_NET_ADMIN capability from container and service configurations that do not require netfilter management
- Use seccomp profiles to block creation of AF_NETLINK sockets with the NETLINK_NETFILTER family for untrusted workloads
# Identify NFLOG rules in use prior to remediation
sudo iptables-save | grep -i NFLOG
sudo nft list ruleset | grep -i log
# Verify running kernel after patching
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
