PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43329 Git CVE debrief

CVE-2026-43329 is a Linux kernel netfilter flowtable vulnerability involving insufficient validation of the number of hardware offload actions. The issue is most relevant to IPv6 setups, where a single flow can require more actions than the previous limit allowed, especially when combining ethernet mangling, SNAT, DNAT, double VLAN/QinQ handling, redirect, and tunnel-related actions. The fix tightens the action-count checks and raises the per-flow maximum from 16 to 24 so valid IPv6 offload configurations are handled safely.

Vendor
Git
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-11
Advisory published
2026-05-08
Advisory updated
2026-05-11

Who should care

Linux operators and vendors using kernels with netfilter flowtable hardware offload, especially in environments that rely on IPv6, VLAN/QinQ, NAT, redirects, or tunnel-aware offload. Security teams should prioritize systems where untrusted local users can influence networking configuration or packet paths.

Technical summary

The record states that the maximum number of flowtable hardware offload actions in IPv6 can reach 17, exceeding the prior limit of 16. Because payload actions operate at 32-bit word granularity, IPv6 address mangling consumes multiple actions, and act_ct can add tunnel-related actions as well. The fix updates flow_action_entry_next() call sites to enforce the maximum supported action count and increases the allowed per-flow action budget to 24 to accommodate legitimate IPv6 offload cases.

Defensive priority

High. The CVSS vector is local, low-privilege, and rates high for confidentiality, integrity, and availability impact. Kernel networking flaws can have broad blast radius, so affected systems should be patched promptly.

Recommended defensive actions

  • Install the kernel updates that include the flowtable action-count fix.
  • Check whether your systems use netfilter flowtable hardware offload, especially with IPv6, VLAN/QinQ, NAT, redirects, or tunnels.
  • Prioritize patching hosts where local users or containers can interact with networking features.
  • Track downstream vendor advisories and backports for the relevant kernel branch.
  • After updating, verify that offload-dependent IPv6 configurations still function as expected.
  • If immediate patching is not possible, reduce exposure to flowtable offload paths where operationally feasible.

Evidence notes

Based only on the supplied NVD CVE record and the linked kernel.org stable references. The record explicitly describes the action-count mismatch, the IPv6-specific maximum of 17 actions, the prior limit of 16, and the remediation to enforce bounds and raise the limit to 24. No exploit details beyond the official record are used.

Official resources

Publicly disclosed in the supplied CVE record on 2026-05-08 and last modified on 2026-05-11. The record cites multiple kernel.org stable commits as fixes. No KEV entry is listed in the supplied data.