PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43060 Linux CVE debrief

CVE-2026-43060 is a Linux kernel netfilter issue in nft_ct handling where packets already queued in nfqueue can retain references to objects that may be removed underneath them. The supplied record says the kernel fix is to drop pending enqueued packets on removal so they do not hold stale references to conntrack zone templates, timeout policies, or helper objects.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-05
Original CVE updated
2026-05-08
Advisory published
2026-05-05
Advisory updated
2026-05-08

Who should care

Organizations running Linux kernels with nftables/netfilter and nfqueue workflows should care, especially if they rely on conntrack zones, timeout policies, or helpers. Kernel maintainers, distro security teams, and platform operators should prioritize validation and patch rollout.

Technical summary

According to the supplied CVE description, packets waiting in nfqueue may reference nft_ct-related data structures that can disappear during module or object removal. The specific concern is stale references to: conntrack zone templates stored in a percpu area, conntrack timeout policies, and conntrack helpers. The stated remediation is to drop enqueued packets when those dependencies are removed, rather than attempting finer-grained selective retention.

Defensive priority

High. The CVSS vector supplied is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local attack conditions with high potential impact if the vulnerable path is reachable.

Recommended defensive actions

  • Apply the Linux kernel update that contains the nft_ct fix referenced by the supplied kernel commits.
  • Identify systems using nftables/netfilter features that rely on nft_ct, nfqueue, conntrack zones, timeout policies, or helpers.
  • Prioritize patching internet-facing or multi-tenant Linux hosts where local privilege boundaries matter.
  • Track vendor kernel advisories and confirm the fix is present in your distribution’s backported kernel package.
  • Plan maintenance windows for kernel rollout and reboot where required, since this is a kernel-level fix.

Evidence notes

The supplied source corpus describes the issue as a Linux kernel netfilter nft_ct vulnerability and states that pending nfqueue packets can hold references to removable objects, leading to stale references. NVD metadata in the corpus lists the status as 'Undergoing Analysis' and provides a local, low-privilege, no-UI CVSS 3.1 vector with high confidentiality, integrity, and availability impact. The corpus includes several kernel.org stable references, but no further commit text is provided here.

Official resources

CVE-2026-43060 was published on 2026-05-05T16:16:15.050Z and last modified on 2026-05-08T13:16:37.143Z. In the supplied corpus, NVD marks the entry as 'Undergoing Analysis.' No KEV listing is present in the provided data.