CVE-2026-43089 Overview
CVE-2026-43089 is an information disclosure vulnerability in the Linux kernel's xfrm_user subsystem. The flaw exists in the build_mapping() function, where struct xfrm_usersa_id contains a one-byte padding hole following the proto field. The kernel never zeroes this padding before copying the structure to userspace, leaking uninitialized kernel memory.
The upstream fix zeroes the entire structure before assigning individual fields. Multiple stable kernel branches received backports, as reflected in the five referenced commits.
Critical Impact
Local users receiving xfrm netlink notifications can read one byte of uninitialized kernel stack or heap memory per event, potentially exposing sensitive data such as pointers, keys, or stack canaries used to defeat KASLR.
Affected Products
- Linux kernel branches prior to the fixes in commits 1beb76b2053b, 5a1a4b049ddd, 700c9622b23c, d3125c541a96, and f779a6b6cdb6
- Distributions shipping vulnerable mainline and stable kernels with CONFIG_XFRM_USER enabled
- Systems exposing IPsec/XFRM netlink interfaces to unprivileged or sandboxed processes
Discovery Timeline
- 2026-05-06 - CVE-2026-43089 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43089
Vulnerability Analysis
The vulnerability is an uninitialized memory disclosure [CWE-908] in the kernel's IPsec key management interface. The xfrm_user module exposes XFRM state and policy operations to userspace through netlink sockets. When the kernel sends mapping notifications, build_mapping() populates a struct xfrm_usersa_id and copies it into a netlink skb destined for userspace listeners.
Due to natural alignment rules, the C compiler inserts a one-byte padding hole after the proto field within struct xfrm_usersa_id. The original code assigns each member individually but never clears the padding byte. Whatever stack or slab content occupied that byte is transmitted to the receiver. The EPSS score of 0.018% reflects the local nature of the issue and the limited primitive provided by a single byte per event.
Root Cause
The root cause is incomplete structure initialization. build_mapping() writes individual fields of xfrm_usersa_id rather than first zeroing the entire object. C language semantics do not guarantee that struct padding is initialized when only fields are assigned. The fix replaces the field-by-field assignment with a full memset (or equivalent zero-initialization) followed by the individual assignments.
Attack Vector
A local process able to open an AF_NETLINK socket bound to NETLINK_XFRM and subscribe to the relevant multicast group can receive mapping notifications. Each notification leaks one byte of uninitialized kernel memory. Repeated leakage across many events can reveal pointers or other sensitive bytes useful for bypassing KASLR or chaining with other kernel vulnerabilities. Exploitation requires the CAP_NET_ADMIN capability in the relevant user namespace, which is achievable from inside unprivileged user namespaces on many distributions.
The vulnerability does not provide write access or direct code execution. Its value lies in pairing with secondary memory-corruption flaws to defeat kernel hardening.
Detection Methods for CVE-2026-43089
Indicators of Compromise
- Unexpected processes opening NETLINK_XFRM sockets and joining XFRMNLGRP_MAPPING multicast groups without legitimate IPsec workloads
- Anomalous use of CAP_NET_ADMIN from within user namespaces on hosts that do not run IKE daemons such as strongSwan, Libreswan, or iked
- High-frequency consumption of XFRM mapping events from non-networking userspace components
Detection Strategies
- Audit socket() calls with AF_NETLINK and protocol NETLINK_XFRM using auditd or eBPF probes attached to __sys_socket
- Compare the running kernel version against the patched commits listed in the kernel.org stable tree to confirm exposure
- Use KASAN or KMSAN-instrumented kernels in test environments to surface uninitialized memory reads from build_mapping()
Monitoring Recommendations
- Forward kernel and audit logs to a centralized analytics platform and alert on unprivileged processes binding to NETLINK_XFRM
- Track creation of unprivileged user namespaces on production hosts that do not require them, as this is a common precursor to local kernel exploitation
- Monitor patch deployment status across the Linux fleet to verify the fix is applied on every node
How to Mitigate CVE-2026-43089
Immediate Actions Required
- Apply the vendor kernel update that incorporates the upstream fix to build_mapping() in net/xfrm/xfrm_user.c
- Restrict the ability to create unprivileged user namespaces on systems that do not need them by setting kernel.unprivileged_userns_clone=0 or equivalent sysctl
- Inventory hosts running vulnerable kernel versions and prioritize those exposing local shell access to untrusted users
Patch Information
The fix is available across stable branches in the following commits: 1beb76b2053b, 5a1a4b049ddd, 700c9622b23c, d3125c541a96, and f779a6b6cdb6. The patch zero-initializes struct xfrm_usersa_id before assigning individual fields, eliminating the padding leak.
Workarounds
- Disable the xfrm_user module on hosts that do not require IPsec by blacklisting it in /etc/modprobe.d/ if no IPsec services are active
- Apply seccomp filters to sandboxed workloads that block socket(AF_NETLINK, ..., NETLINK_XFRM) to prevent subscription to mapping events
- Restrict CAP_NET_ADMIN in container runtimes and disable user namespace creation for untrusted tenants
# Configuration example: harden a host that does not use IPsec
echo 'install xfrm_user /bin/true' | sudo tee /etc/modprobe.d/disable-xfrm_user.conf
sudo sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' | sudo tee /etc/sysctl.d/99-userns.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
