CVE-2026-43329 Overview
CVE-2026-43329 affects the Linux kernel netfilter subsystem, specifically the flowtable hardware offload code path. The flaw stems from insufficient validation of the maximum number of flow actions when constructing IPv6 offload entries. Combinations of ethernet mangling, SNAT, DNAT, double VLAN (QinQ), and redirect actions can require 17 actions, exceeding the prior limit of 16. The act_ct module additionally supports tunnel actions, further amplifying the action count. The upstream fix updates flow_action_entry_next() callers to strictly check the action ceiling and raises the maximum to 24 to accommodate IPv6 setups.
Critical Impact
A local user with the ability to influence flowtable offload configuration can trigger out-of-bounds activity in kernel memory, leading to integrity and availability impact on the host.
Affected Products
- Linux Kernel (multiple stable branches prior to the fix commits)
- Linux Kernel 7.0 release candidates (rc1 through rc6)
- Systems using netfilter flowtable hardware offload with IPv6 and act_ct
Discovery Timeline
- 2026-05-08 - CVE-2026-43329 published to the National Vulnerability Database (NVD)
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-43329
Vulnerability Analysis
The Linux kernel netfilter flowtable offload mechanism translates connection tracking entries into a list of hardware actions consumed by NIC offload drivers. Each action populates a fixed-size array bounded by flow_action_entry_next() checks. The kernel computed worst-case action counts that did not account for the full IPv6 combination of operations.
For IPv6 flows, payload mangling operates at 32-bit word granularity, so rewriting a single IPv6 address consumes four payload actions. Ethernet address rewriting consumes another four actions. SNAT and DNAT each add four more. Double VLAN (QinQ) requires four actions for pop and push, and redirect adds one. The total reaches 17, exceeding the previous 16-entry cap.
Root Cause
The root cause is missing strict bounds enforcement on the action array when building flowtable offload entries. The flow_action_entry_next() helper was not consistently checked against the maximum supported actions across all call sites, allowing the action index to advance past the array boundary in certain IPv6 configurations.
Attack Vector
Exploitation requires local access with privileges sufficient to configure nftables flowtables, traffic control (tc) act_ct rules, or related netfilter offload paths. The attack vector is local with low complexity. Crafting an IPv6 flow that simultaneously requires NAT, ethernet rewrite, QinQ, and redirect actions causes the kernel to overrun the action array, producing memory corruption, kernel panic, or undefined offload behavior.
No verified public proof-of-concept is available. See the upstream patch commit 879959a for the corrected boundary logic.
Detection Methods for CVE-2026-43329
Indicators of Compromise
- Kernel oops or panic messages referencing flow_offload, nf_flow_table_offload, or act_ct in dmesg and /var/log/kern.log.
- Unexpected hardware offload rule installation failures on NICs handling IPv6 traffic with NAT and VLAN tagging.
- Sudden loss of flowtable acceleration on systems running QinQ plus IPv6 NAT topologies.
Detection Strategies
- Inventory kernel versions across Linux fleets and flag hosts running pre-patch builds that enable CONFIG_NF_FLOW_TABLE with hardware offload.
- Audit nftables and tc configurations for flowtables combining IPv6 NAT, ethernet mangling, and double VLAN actions.
- Correlate kernel ring-buffer crashes with netfilter modules to identify potential triggers of the boundary condition.
Monitoring Recommendations
- Forward kernel.* syslog facility entries to a centralized logging or SIEM platform and alert on BUG:, WARNING:, or Oops: strings tied to nf_flow_table symbols.
- Monitor process activity that invokes nft, iptables, tc, or ip with CAP_NET_ADMIN on production hosts.
- Track NIC offload statistics for unexpected drops in offloaded flows after configuration changes.
How to Mitigate CVE-2026-43329
Immediate Actions Required
- Apply the upstream stable kernel patches referenced below and reboot affected hosts during the next maintenance window.
- Restrict CAP_NET_ADMIN and root-equivalent access on systems exposed to multi-tenant workloads or untrusted local users.
- Validate that container runtimes do not grant unnecessary network administration capabilities to workloads.
Patch Information
The fix is distributed across multiple stable kernel branches. Reference commits include 504c945, 5382bb0, 57c78bd, 76522fc, 879959a, ead66c7, and fe9018d. Track your distribution vendor's security advisories for backported builds.
Workarounds
- Disable netfilter flowtable hardware offload until patched kernels are deployed by removing the offload flag from nftables flowtable declarations.
- Avoid configurations that combine IPv6 NAT, ethernet address mangling, and double VLAN (QinQ) on the same flowtable.
- Unload or blacklist the nf_flow_table_offload and related modules where offload functionality is not required.
# Configuration example: disable flowtable hardware offload in nftables
# Before (vulnerable configuration):
# flowtable ft { hook ingress priority 0; devices = { eth0, eth1 }; flags offload; }
# After (mitigated configuration):
flowtable ft {
hook ingress priority 0;
devices = { eth0, eth1 };
# offload flag removed to disable hardware offload path
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
