CVE-2026-43916 Overview
CVE-2026-43916 is a heap buffer over-read [CWE-125] in pam_authnft, a Pluggable Authentication Module (PAM) session module that binds nftables firewall rules to authenticated sessions through cgroupv2 inodes. The flaw resides in peer_lookup_tcp at src/peer_lookup.c:134. A crafted NETLINK_SOCK_DIAG reply bypasses the message-size check and causes the code to dereference memory past the end of the allocation. Versions prior to 0.2.0-alpha are affected. The fix is included in 0.2.0-alpha.
Critical Impact
An attacker delivering a malformed netlink socket diagnostic reply can trigger an out-of-bounds read in an authentication-path component, leading to process crash and denial of service.
Affected Products
- pam_authnft PAM session module
- All releases prior to 0.2.0-alpha
- Linux hosts using pam_authnft to bind nftables rules to authenticated user sessions
Discovery Timeline
- 2026-05-12 - CVE-2026-43916 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43916
Vulnerability Analysis
pam_authnft queries the kernel through the NETLINK_SOCK_DIAG interface to map TCP peers to authenticated sessions. The peer_lookup_tcp routine parses replies from the kernel and validates the declared message length before reading individual attributes. The pre-patch check in src/peer_lookup.c:134 does not enforce that the message length stays within the bounds of the allocated buffer. A reply that advertises a length larger than the underlying allocation passes the check, and subsequent attribute parsing reads memory beyond the allocation. The over-read occurs inside the PAM session flow, so any local process that can speak to the netlink diagnostic socket, or any attacker who can influence the responses on that socket, can trigger the condition during authentication.
Root Cause
The root cause is an inadequate boundary check on attacker-influenced length fields in netlink replies. The validation compares the netlink message length to a structural minimum rather than to the size of the receive buffer. Once the malformed message advances the parser cursor past the allocation, the heap content adjacent to the buffer is dereferenced, classified as an out-of-bounds read [CWE-125].
Attack Vector
The attack vector is network-adjacent through the Linux netlink subsystem. An attacker who can place crafted NETLINK_SOCK_DIAG responses, or who controls a process that can interact with the diagnostic socket consumed by pam_authnft, can cause the PAM module to read past the end of its heap buffer. The primary observed impact is availability: the authentication helper crashes, denying interactive logins and breaking session-bound firewall enforcement.
No verified public proof-of-concept exists. The vulnerability manifests in the netlink reply parsing path in peer_lookup_tcp. See the GitHub Security Advisory and the GitHub Pull Request for the upstream fix details.
Detection Methods for CVE-2026-43916
Indicators of Compromise
- Repeated crashes or SIGSEGV signals in processes loading pam_authnft.so during PAM session setup
- coredump artifacts referencing peer_lookup_tcp in the call stack
- Failed or incomplete nftables rule installation tied to authenticated sessions on affected hosts
- Unexpected NETLINK_SOCK_DIAG traffic patterns from non-administrative processes
Detection Strategies
- Inventory hosts that load pam_authnft through /etc/pam.d/* configuration and confirm the installed version is 0.2.0-alpha or later
- Monitor auth.log, journald, and audit records for PAM session failures correlated with crash events in the authentication stack
- Capture and review core dumps from any process loading pam_authnft.so to confirm out-of-bounds read signatures in peer_lookup_tcp
Monitoring Recommendations
- Forward PAM, audit, and kernel logs to a centralized SIEM and alert on crash patterns in authentication binaries
- Track netlink socket usage by non-root processes and flag unexpected NETLINK_SOCK_DIAG interactions
- Baseline successful versus failed session establishment rates on hosts running pam_authnft to identify regression spikes after exploitation attempts
How to Mitigate CVE-2026-43916
Immediate Actions Required
- Upgrade pam_authnft to version 0.2.0-alpha or later on all affected Linux hosts
- Audit /etc/pam.d/ to identify every service stack that invokes pam_authnft and validate post-patch behavior
- Restrict local access on hosts that cannot be patched immediately and limit which accounts can interact with netlink diagnostic sockets
Patch Information
The upstream fix is available in pam_authnft0.2.0-alpha. The patch corrects the message-size validation in peer_lookup_tcp so that NETLINK_SOCK_DIAG replies cannot advance the parser past the allocated buffer. Review the GitHub Pull Request and the GitHub Security Advisory for commit-level details before deployment.
Workarounds
- Temporarily remove pam_authnft entries from PAM stacks where session-bound nftables enforcement is not required
- Apply kernel-level restrictions on NETLINK_SOCK_DIAG access using seccomp or namespace isolation for untrusted local processes
- Increase logging verbosity on the authentication subsystem to detect exploitation attempts until the patched build is rolled out
# Verify installed pam_authnft version and locate PAM stacks referencing the module
dpkg -s pam_authnft 2>/dev/null | grep -E '^Version'
rpm -q pam_authnft 2>/dev/null
grep -RIn 'pam_authnft' /etc/pam.d/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
