PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43088 Linux CVE debrief

CVE-2026-43088 is a Linux kernel issue in the PF_KEY export paths. According to the supplied description, certain message builders reserve 32 bytes for IPv6 sockaddr payloads, but only initialize the first 28 bytes of struct sockaddr_in6, leaving the final aligned bytes uninitialized. The fix is limited to export paths that append sockaddr data with plain skb_put(), specifically SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, and SADB_X_MIGRATE. From a defensive perspective, this is best treated as a potential kernel information disclosure risk in PF_KEY/IPsec-related networking code. Systems that rely on these kernel interfaces should be updated to versions containing the zero-tail fix.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-06
Original CVE updated
2026-05-14
Advisory published
2026-05-06
Advisory updated
2026-05-14

Who should care

Linux kernel maintainers, distribution security teams, and operators of systems that use PF_KEY/IPsec functionality should pay attention, especially if they ship or run kernels that include the affected export paths.

Technical summary

The vulnerability is an initialization bug in net/af_key export handling. PF_KEY code uses pfkey_sockaddr_size() to reserve aligned sockaddr space, so IPv6 entries occupy 32 bytes on the wire. pfkey_sockaddr_fill() initializes only the visible 28-byte sockaddr_in6 portion, but not the remaining aligned tail. In the affected export paths, that tail could be transmitted without being cleared. The supplied description says the state and policy dump builders already zero their buffers, so the fix targets only the remaining paths that append sockaddr payloads with skb_put().

Defensive priority

Medium — prioritize patching if your environment uses PF_KEY/IPsec or processes PF_KEY exports, since the issue can expose uninitialized kernel memory in network-related output.

Recommended defensive actions

  • Apply the kernel update containing the PF_KEY sockaddr tail zeroing fix.
  • Verify whether your deployed kernel includes the affected PF_KEY export paths: SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, and SADB_X_MIGRATE.
  • If you maintain a kernel backport tree, confirm the fix is present in your stable branch rather than relying on version numbers alone.
  • Watch for vendor advisories or distro backports that reference the same PF_KEY export-path correction.
  • Inventory hosts that use IPsec/PF_KEY features so you can prioritize remediation there.

Evidence notes

The supplied CVE description explicitly states that PF_KEY export paths reserve aligned sockaddr payload space, that pfkey_sockaddr_fill() leaves the final 4 aligned bytes of struct sockaddr_in6 uninitialized, and that the fix is restricted to SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, and SADB_X_MIGRATE. NVD marks the record as undergoing analysis and lists four official kernel stable references. No CVSS score, CWE, or KEV data was supplied.

Official resources

Published 2026-05-06T10:16:22.090Z; last modified 2026-05-14T15:16:47.020Z. The supplied source item and NVD record indicate the vulnerability was still undergoing analysis at the time of the provided metadata.