CVE-2026-43088 Overview
CVE-2026-43088 is an uninitialized memory disclosure vulnerability in the Linux kernel's net/key/af_key.c PF_KEY socket implementation. The flaw exists in IPv6 sockaddr export paths where pfkey_sockaddr_size() reserves 32 bytes for IPv6 addresses, but pfkey_sockaddr_fill() only initializes the first 28 bytes of struct sockaddr_in6. This leaves 4 aligned tail bytes uninitialized in messages emitted to userspace.
Critical Impact
Local users with access to PF_KEY sockets can read 4 bytes of uninitialized kernel stack or heap memory per affected message, potentially leaking sensitive kernel data across SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, and SADB_X_MIGRATE notifications.
Affected Products
- Linux kernel versions containing the vulnerable af_key PF_KEY implementation
- Systems with IPsec/PF_KEY userspace key management (e.g., racoon, pluto, IKE daemons)
- Distributions shipping affected stable kernel branches prior to the upstream fix
Discovery Timeline
- 2026-05-06 - CVE-2026-43088 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43088
Vulnerability Analysis
The vulnerability resides in the PF_KEY (RFC 2367) export logic that builds netlink-style messages for IPsec key management. PF_KEY uses pfkey_sockaddr_size() to reserve sockaddr payload space aligned to 8 bytes, which means an IPv6 struct sockaddr_in6 occupies 32 bytes on the wire.
The pfkey_sockaddr_fill() helper, however, populates only the 28 bytes defined by struct sockaddr_in6 (family, port, flowinfo, address, scope ID). The remaining 4 aligned padding bytes are never written, retaining whatever data previously occupied that memory.
Three export paths are affected because they append sockaddr payloads with plain skb_put() rather than zeroing the message buffer beforehand: SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, and SADB_X_MIGRATE. State and policy dump builders are unaffected because they zero the entire message buffer first.
Root Cause
The root cause is a size mismatch between allocation and initialization, classified as Use of Uninitialized Memory. pfkey_sockaddr_size() returns the aligned size (32 bytes for AF_INET6), but the fill helper only writes the structure's defined fields (28 bytes), leaving a 4-byte hole.
Attack Vector
A local attacker with permission to open PF_KEY sockets (typically requiring CAP_NET_ADMIN) subscribes to PF_KEY events and triggers IPsec state transitions that emit SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, or SADB_X_MIGRATE messages. The attacker then reads the 4 trailing bytes of each IPv6 sockaddr payload to harvest uninitialized kernel memory contents.
No verified public exploit code is available. The upstream fix clears only the aligned sockaddr tail after pfkey_sockaddr_fill() in the affected export paths. See the kernel commit 426c355742f0 and the companion commit 2e74f974359b for the patch implementation.
Detection Methods for CVE-2026-43088
Indicators of Compromise
- Unexpected processes opening AF_KEY sockets outside of authorized IKE/IPsec daemons such as charon, pluto, or racoon
- High-frequency SADB_ACQUIRE or SADB_X_MIGRATE traffic generated by non-standard userspace components
- Kernel running an unpatched version with active PF_KEY subscribers logging IPv6 SA payloads
Detection Strategies
- Audit kernel package versions against vendor advisories tracking the af_key PF_KEY fix and flag hosts on unpatched stable branches
- Use auditd rules on the socket syscall to record processes creating PF_KEY (family 15) sockets and correlate with expected IPsec daemons
- Hunt for anomalous reads of PF_KEY messages in process memory or file descriptors held by untrusted local accounts
Monitoring Recommendations
- Monitor execution of binaries invoking socket(AF_KEY, SOCK_RAW, ...) and alert on unauthorized callers
- Track kernel build identifiers (uname -r) across the fleet to ensure rollout of the patched kernel
- Forward syscall and IPsec state-change telemetry to a centralized analytics platform for retrospective hunts
How to Mitigate CVE-2026-43088
Immediate Actions Required
- Apply the upstream Linux kernel patch that zeroes the aligned sockaddr tail after pfkey_sockaddr_fill() in SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, and SADB_X_MIGRATE export paths
- Update to the latest stable kernel release from your distribution that incorporates the fix
- Restrict CAP_NET_ADMIN to trusted system services and IKE daemons only
Patch Information
The fix is delivered through upstream kernel commits. Review the primary fix commit 426c355742f0 and the related commit 2e74f974359b. Distribution maintainers will backport these changes to supported stable kernel branches; install vendor-provided kernel updates as soon as they are available and reboot affected hosts.
Workarounds
- Disable the af_key kernel module on systems that do not require legacy PF_KEY IPsec management by blacklisting it via /etc/modprobe.d/
- Where feasible, migrate to the XFRM netlink interface (AF_NETLINK with NETLINK_XFRM) for IPsec configuration, since policy and state dump builders are not affected
- Limit IPv6 IPsec policy and SA configurations on hosts where the kernel cannot be promptly updated
# Configuration example: disable the af_key module on hosts that do not need PF_KEY
echo "blacklist af_key" | sudo tee /etc/modprobe.d/disable-af_key.conf
sudo rmmod af_key 2>/dev/null || true
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
