CVE-2026-43329

/* * Conceptual PoC for CVE-2026-43329 * Triggering the flowtable action limit overflow in Linux Kernel Netfilter. * This requires a system with IPv6, netfilter flowtable, and HW offload support. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> int main() { printf("[+] PoC for CVE-2026-43329: Netfilter Flowtable Action Overflow\n"); printf("[+] Attempting to configure rules that exceed action limit (17 > 16)\n"); // In a real exploit scenario, the attacker would use netlink or libcalls to: // 1. Create a bridge/interface with HW offload support. // 2. Configure an IPv6 flowtable. // 3. Add a rule with: Ethernet Mangling + SNAT + DNAT + QinQ + Redirect. // Total actions = 4 (Eth) + 4 (SNAT) + 4 (DNAT) + 4 (VLAN) + 1 (Redir) = 17. // Pseudo-code for rule creation // system("nft add table ip6 filter"); // system("nft add flowtable ip6 filter f { hook ingress priority 0 ; devices = { eth0 } ; }"); // system("nft add chain ip6 filter forward { type filter hook forward priority 0 ; }"); // system("nft add rule ip6 filter forward flow offload @f"); // (Assuming traffic matches complex NAT/VLAN criteria) printf("[!] Triggering traffic to cause kernel panic or memory corruption...\n"); // send_specific_ipv6_traffic(); return 0; }

{"cve": {"id": "CVE-2026-43329", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T14:16:42.520", "lastModified": "2026-05-11T08:16:09.573", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: strictly check for maximum number of actions\n\nThe maximum number of flowtable hardware offload actions in IPv6 is:\n\n* ethernet mangling (4 payload actions, 2 for each ethernet address)\n* SNAT (4 payload actions)\n* DNAT (4 payload actions)\n* Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing)\n for QinQ.\n* Redirect (1 action)\n\nWhich makes 17, while the maximum is 16. But act_ct supports for tunnels\nactions too. Note that payload action operates at 32-bit word level, so\nmangling an IPv6 address takes 4 payload actions.\n\nUpdate flow_action_entry_next() calls to check for the maximum number of\nsupported actions.\n\nWhile at it, rise the maximum number of actions per flow from 16 to 24\nso this works fine with IPv6 setups."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/504c9456699dcf4d15195ef34a0fa94a80bfc877", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5382bb03e9c33b089d60788478b922a2dca284cc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/57c78bd2e2dd08897acd35b2bf8bcef322e36f5e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/76522fcdbc3a02b568f5d957f7e66fc194abb893", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/879959a7a2be814dd57568655eafa3d8f4d0309e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ead66c77303f760f6c30be96e2e20d5a77cef614", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fe9018d3e94329f1951b00805a8640bc06f56ead", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}