CVE-2026-43084

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: make hash table per queue Sharing a global hash table among all queues is tempting, but it can cause crash: BUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] [..] nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] nfnetlink_rcv_msg+0x46a/0x930 kmem_cache_alloc_node_noprof+0x11e/0x450 struct nf_queue_entry is freed via kfree, but parallel cpu can still encounter such an nf_queue_entry when walking the list. Alternative fix is to free the nf_queue_entry via kfree_rcu() instead, but as we have to alloc/free for each skb this will cause more mem pressure.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel < 6.8 (推测，基于stable分支补丁)

Linux Kernel (特定未打补丁的版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Conceptual PoC skeleton for triggering race condition in nfnetlink_queue
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <pthread.h>
#include <sys/socket.h>
#include <linux/netlink.h>

// This is a simulation structure to represent the logic
// Real exploitation requires interacting with kernel netlink sockets

void* trigger_race(void* arg) {
    // Simulate sending verdicts and modifying queue entries
    // In a real scenario, this interacts with nfnetlink_queue
    for(int i = 0; i < 1000; i++) {
        // Send netlink message to queue
        // Trigger kfree in one thread
        // Trigger access in another thread
    }
    return NULL;
}

int main() {
    pthread_t t1, t2;
    
    // Setup netlink socket (omitted for brevity/safety)
    
    pthread_create(&t1, NULL, trigger_race, NULL);
    pthread_create(&t2, NULL, trigger_race, NULL);
    
    pthread_join(t1, NULL);
    pthread_join(t2, NULL);
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43084
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43084
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43084/
[4] VulDB https://vuldb.com/cve/CVE-2026-43084
[5] https://git.kernel.org/stable/c/22730cb96093b5be0609063bbb1923dbecd61252
[6] https://git.kernel.org/stable/c/41e3652a178cb0eecd48e0e6e27fbb73a004046a
[7] https://git.kernel.org/stable/c/936206e3f6ff411581e615e930263d6f8b78df9d
[8] https://git.kernel.org/stable/c/9e5ebef91120d2764aefe557c3a484b6288f341f

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43084", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T10:16:21.610", "lastModified": "2026-05-08T13:16:38.660", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_queue: make hash table per queue\n\nSharing a global hash table among all queues is tempting, but\nit can cause crash:\n\nBUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]\n[..]\n nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]\n nfnetlink_rcv_msg+0x46a/0x930\n kmem_cache_alloc_node_noprof+0x11e/0x450\n\nstruct nf_queue_entry is freed via kfree, but parallel cpu can still\nencounter such an nf_queue_entry when walking the list.\n\nAlternative fix is to free the nf_queue_entry via kfree_rcu() instead,\nbut as we have to alloc/free for each skb this will cause more mem\npressure."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/22730cb96093b5be0609063bbb1923dbecd61252", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/41e3652a178cb0eecd48e0e6e27fbb73a004046a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/936206e3f6ff411581e615e930263d6f8b78df9d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9e5ebef91120d2764aefe557c3a484b6288f341f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}