CVE-2026-43454: Linux Kernel Netfilter Hook Vulnerability

CVE-2026-43454 Overview

CVE-2026-43454 is a vulnerability in the Linux kernel's netfilter subsystem, specifically within the nf_tables netdev hook handling logic. When the kernel processes a NETDEV_REGISTER notification, the code fails to prevent duplicate device registration in cases where the device was already added by nft_netdev_hook_alloc() during hook creation. The flaw allows a local authenticated attacker to corrupt internal kernel state through duplicated entries in the netdev hook list.

The vulnerability affects the integrity, confidentiality, and availability of the host. Linux kernel maintainers have merged fixes upstream across multiple stable trees.

Critical Impact

A local attacker with low privileges can leverage the duplicate device registration condition in nf_tables netdev hooks to escalate privileges or destabilize the kernel.

Affected Products

• Linux kernel (mainline) versions containing the unpatched nf_tables netdev hook registration logic
• Linux stable kernel branches prior to the commits referenced in the upstream fix
• Distributions shipping vulnerable kernel builds with CONFIG_NF_TABLES_NETDEV enabled

Discovery Timeline

• 2026-05-08 - CVE CVE-2026-43454 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-43454

Vulnerability Analysis

The vulnerability resides in the nf_tables netfilter subsystem, which allows administrators to define packet filtering hooks attached to network devices. The kernel maintains a list of devices associated with a netdev chain through hook structures allocated by nft_netdev_hook_alloc().

When a network device is created, the kernel emits a NETDEV_REGISTER notification. The netdev hook notifier processes this event and attempts to add the device to the relevant chain. The pre-patch code path does not check whether the device was already registered when the hook was first created, leading to duplicate entries in the hook list. Duplicate registration corrupts kernel data structures used during packet processing and teardown.

The issue carries local attack vector characteristics and produces high impact across confidentiality, integrity, and availability. EPSS data places exploitation probability at 0.013% as of the publication window.

Root Cause

The root cause is missing duplicate-detection logic in the NETDEV_REGISTER notification handler within nf_tables. Because nft_netdev_hook_alloc() can add a device entry during hook creation, the subsequent notifier path must verify the device is not already present. The absence of this check causes a kernel-side state inconsistency consistent with race condition and list manipulation flaws.

Attack Vector

An attacker with local access and the ability to create or manipulate nf_tables netdev hooks, typically requiring CAP_NET_ADMIN within a user namespace on systems where unprivileged user namespaces are enabled, can trigger the duplicate registration sequence. By coordinating hook allocation with device registration events, the attacker corrupts hook list integrity. The corrupted state can be leveraged for use-after-free style behavior during cleanup, enabling potential privilege escalation or kernel crash.

Verified exploitation code is not publicly available. See the upstream commits at Kernel Git Commit Changes, Kernel Git Commit Bugfix, and Kernel Git Commit Update for the corrective changes.

Detection Methods for CVE-2026-43454

Indicators of Compromise

• Unexpected kernel oops or WARN_ON messages referencing nf_tables, nft_netdev_hook, or list manipulation routines in dmesg
• Repeated creation and teardown of netdev-type nft chains by unprivileged or low-privileged user sessions
• Kernel panics correlated with rapid network interface creation events such as veth, dummy, or macvlan provisioning

Detection Strategies

• Audit kernel logs for stack traces involving nft_netdev_hook_alloc, nf_tables_netdev_event, or list corruption warnings.
• Monitor process activity invoking nft or raw netlink NFNL_SUBSYS_NFTABLES operations from non-administrative contexts.
• Correlate unshare and user namespace creation events with subsequent netfilter configuration changes on the same process tree.

Monitoring Recommendations

• Forward kernel ring buffer and auditd events to a centralized logging or SIEM pipeline for retention and correlation.
• Track CAP_NET_ADMIN usage inside user namespaces and alert on uncommon invocations from interactive shells.
• Inventory running kernel versions across the fleet and flag hosts lacking the upstream stable fix commits.

How to Mitigate CVE-2026-43454

Immediate Actions Required

• Apply the upstream stable kernel updates that incorporate the fix commits 2041cdb0, 6d2a95c6, and b7cdc5a9.
• Rebuild or update distribution kernel packages and reboot affected hosts to load the patched kernel.
• Restrict CAP_NET_ADMIN and disable unprivileged user namespaces where operationally feasible.

Patch Information

The Linux kernel maintainers resolved the issue by adding duplicate-device detection before adding entries in the NETDEV_REGISTER notifier path of nf_tables. The corrective changes are available at Kernel Git Commit Changes, Kernel Git Commit Bugfix, and Kernel Git Commit Update. Consult your distribution vendor for backported releases.

Workarounds

• Disable unprivileged user namespaces by setting kernel.unprivileged_userns_clone=0 on supported distributions.
• Remove or restrict the nf_tables and nf_tables_netdev modules on hosts that do not require netfilter netdev chains.
• Limit which users and containers may load kernel modules or invoke nft against netdev-type chains.

# Configuration example: disable unprivileged user namespaces and audit nf_tables module load
sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' > /etc/sysctl.d/99-cve-2026-43454.conf

# Prevent loading the netdev netfilter module if unused
echo 'install nf_tables_netdev /bin/true' > /etc/modprobe.d/disable-nf_tables_netdev.conf