CVE-2026-43450: Linux Kernel Buffer Overflow Vulnerability

CVE-2026-43450 Overview

CVE-2026-43450 is an out-of-bounds read vulnerability in the Linux kernel's netfilter subsystem, specifically within the nfnetlink_cthelper connection tracking helper module. The flaw resides in nfnl_cthelper_dump_table(), where a misplaced goto restart statement allows the dump loop to bypass its bounds check. When the helper saved in cb->args[1] is deleted between dump rounds, the loop counter cb->args[0] reaches nf_ct_helper_hsize and the restart logic reads 8 bytes past the end of the nf_ct_helper_hash array. The condition was confirmed by Kernel Address Sanitizer (KASAN) reports against the slab-out-of-bounds heuristic.

Critical Impact

A local unprivileged process issuing crafted netlink dump requests can trigger a kernel heap out-of-bounds read, potentially leaking adjacent kernel memory or causing instability.

Affected Products

• Linux kernel — netfilter subsystem (net/netfilter/nfnetlink_cthelper.c)
• Multiple stable kernel branches receiving the backported fix (see referenced commits)
• Distributions shipping vulnerable kernel versions with CONFIG_NETFILTER_NETLINK_CTHELPER enabled

Discovery Timeline

• 2026-05-08 - CVE-2026-43450 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-43450

Vulnerability Analysis

The vulnerability is an out-of-bounds read [CWE-125] in the netlink dump handler for connection tracking helpers. The function nfnl_cthelper_dump_table() iterates over nf_ct_helper_hash buckets using cb->args[0] as the bucket index and cb->args[1] as a pointer to the last-emitted helper. Between successive recvmsg() rounds, callers may resume the dump, and the kernel must locate the previously emitted helper to continue from the correct position.

The original implementation placed the restart: block, intended to re-traverse the current bucket when the saved helper has been removed, after the for loop body rather than inside it. If the saved helper is deleted between rounds, every iteration fails the (cur != last) equality check, cb->args[1] is never cleared, and the loop completes with cb->args[0] equal to nf_ct_helper_hsize. The subsequent goto restart jumps back into the loop body, bypassing the bounds check entirely.

Root Cause

The root cause is incorrect control flow placement. The restart label sits outside the bounded for loop, so jumping to it dereferences nf_ct_helper_hash[nf_ct_helper_hsize] — one slot past the allocated hash table. KASAN reports an 8-byte read at the slab boundary, confirming a heap out-of-bounds read of a kernel pointer-sized value. The fix moves the restart block into the loop body so that the index remains within bounds before any retraversal occurs.

Attack Vector

Exploitation requires a local attacker capable of opening an NFNL_SUBSYS_CTHELPER netlink socket and issuing a dump request, then deleting the helper recorded in cb->args[1] between dump rounds. The race results in a deterministic out-of-bounds read of adjacent kernel heap memory. The leaked qword can include kernel pointers useful for defeating Kernel Address Space Layout Randomization (KASLR) in subsequent exploitation chains. No memory write primitive is provided by this flaw alone.

No verified public proof-of-concept code is referenced in the advisory. The KASAN call trace identifies nfnl_cthelper_dump_table+0x9f/0x1b0 reached through netlink_dump and __sys_recvfrom.

Detection Methods for CVE-2026-43450

Indicators of Compromise

• KASAN slab-out-of-bounds reports referencing nfnl_cthelper_dump_table in dmesg or kernel logs
• Unexpected recvfrom() activity on AF_NETLINK sockets bound to NETLINK_NETFILTER from unprivileged processes
• Kernel oops or panic traces originating in the netfilter cthelper dump path

Detection Strategies

• Enable KASAN on test and staging kernels to surface out-of-bounds reads in nf_ct_helper_hash during fuzzing or workload replay
• Audit auditd logs for processes invoking netlink dump operations against the nfnetlink_cthelper subsystem without CAP_NET_ADMIN
• Correlate kernel ring-buffer messages with process telemetry to identify suspicious sequences of helper creation, deletion, and dump

Monitoring Recommendations

• Monitor /proc/net/netlink for sockets subscribed to the NFNL_SUBSYS_CTHELPER family from non-administrative users
• Alert on rapid nfnetlink helper add/delete cycles interleaved with NLM_F_DUMP requests
• Track kernel crash telemetry across the fleet and triage any KASAN or BUG reports referencing netfilter symbols

How to Mitigate CVE-2026-43450

Immediate Actions Required

• Apply the upstream stable patches referenced below to all affected kernel branches and reboot
• Restrict CAP_NET_ADMIN and namespace-creation privileges to trusted accounts to limit reachability of the vulnerable code path
• If patching is delayed, unload or disable the nf_conntrack_netlink and cthelper modules where they are not operationally required

Patch Information

The fix moves the restart block inside the for loop body so that the bounds check on cb->args[0] is honored before any retraversal. The patch has been merged across multiple stable trees. See the upstream commits: Linux Kernel Commit 05018cd, Linux Kernel Commit 0605e1, Linux Kernel Commit 3cc328f, Linux Kernel Commit 4a1f6ee, Linux Kernel Commit 61b3a1f, Linux Kernel Commit 6dcee84, Linux Kernel Commit 894c578, and Linux Kernel Commit 92441f6.

Workarounds

• Blacklist the nfnetlink_cthelper module on systems that do not require user-space connection tracking helpers
• Disable unprivileged user namespaces to prevent attackers from acquiring CAP_NET_ADMIN in a sandboxed namespace
• Apply seccomp profiles that block socket(AF_NETLINK, ...) for workloads that have no legitimate netlink requirement

# Blacklist the vulnerable module until the kernel can be patched
echo 'blacklist nfnetlink_cthelper' | sudo tee /etc/modprobe.d/cve-2026-43450.conf
sudo rmmod nfnetlink_cthelper 2>/dev/null || true

# Restrict unprivileged user namespace creation (reduces local attack surface)
sudo sysctl -w kernel.unprivileged_userns_clone=0