PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43027 Linux CVE debrief

A use-after-free vulnerability was discovered in the Linux kernel, specifically in the netfilter component. The vulnerability occurs when the nf_conntrack_helper_unregister function fails to properly clean up expectations belonging to the helper being unregistered, leading to a use-after-free condition. This can cause a crash or potentially allow an attacker to execute arbitrary code. The vulnerability has been resolved with a patch that fixes the use-after-free vulnerability by passing the actual helper pointer to nf_ct_expect_iterate_destroy.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-01
Original CVE updated
2026-07-14
Advisory published
2026-05-01
Advisory updated
2026-07-14

Who should care

Linux kernel developers and maintainers, Linux distribution maintainers, users of Linux-based systems, security teams and researchers, and organizations using Linux-based systems for critical infrastructure or services.

Technical summary

The vulnerability is caused by the nf_conntrack_helper_unregister function passing a NULL pointer to nf_ct_expect_iterate_destroy, which fails to clean up expectations referencing the helper. This leads to a use-after-free condition when the helper object is freed and later accessed. The vulnerability can be triggered by unloading a netfilter helper module. The fix involves passing the actual helper pointer to nf_ct_expect_iterate_destroy, ensuring that expectations referencing the helper are properly destroyed before the helper object is freed.

Defensive priority

High

Recommended defensive actions

  • Apply the official patch or update to a fixed kernel version
  • Monitor Linux kernel updates and apply patches promptly
  • Consider using a Linux distribution that provides timely kernel updates
  • Use kernel modules that provide additional security features, such as SELinux or AppArmor
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The vulnerability was introduced in the Linux kernel and has been resolved with a patch. The patch fixes the use-after-free vulnerability by passing the actual helper pointer to nf_ct_expect_iterate_destroy. Multiple kernel versions are affected, including 4.14, 5.11, 5.16, 6.1, 6.2, 6.6, 6.7, 6.12, 6.13, 6.18, and 6.19. However, specific details about the affected versions and configurations are limited, and defenders should verify the vulnerability's presence in their systems.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-05-01T15:16:47.167Z and has not been modified since then.