CVE-2026-43116 Linux CVE debrief

Who should care

System administrators and security teams managing Linux servers, especially those exposed to local privilege escalation attacks, should prioritize patching this vulnerability. Linux distributions and vendors should apply the provided patches to their supported kernel versions.

Technical summary

The vulnerability exists in the netfilter component of the Linux kernel, specifically in how it handles access to master conntrack objects. Holding a reference to the expectation is insufficient, as the master conntrack object can be removed, making the exp->master reference invalid. The fix involves extending the nf_conntrack_expect_lock section to ensure safe access to exp->master. This includes grabbing the spinlock before looking up expectations and moving the delivery of certain events under the spinlock.

Defensive priority

High priority due to local privilege escalation risk

Recommended defensive actions

• Apply official patches from Linux kernel maintainers
• Review and update Linux kernel versions to ensure affected versions are patched
• Inventory Linux systems for exposure and prioritize patching based on risk
• Monitor Linux kernel updates and apply patches promptly
• Consider compensating controls like restricting local access to sensitive systems

Evidence notes

The CVE-2026-43116 vulnerability affects Linux kernel versions 2.6.16 to 6.18.24, 6.19 to 6.19.14, and specific 7.0 release candidates. Patches are available in the Linux kernel source tree. Official CVE and NVD records provide additional details.

Official resources