PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43450 Linux CVE debrief

CVE-2026-43450 is a Linux kernel memory-safety issue in the netfilter nfnetlink_cthelper code path. The bug can trigger an 8-byte out-of-bounds read in nfnl_cthelper_dump_table() when table state changes between netlink dump rounds, and it was observed by KASAN as a slab-out-of-bounds read. The issue is rated HIGH (CVSS 7.1) and requires local access with privileges.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-21
Advisory published
2026-05-08
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distro security teams, and operators of systems running affected kernel versions should care, especially where netfilter conntrack helper functionality is present in the deployed configuration.

Technical summary

According to the CVE description, nfnl_cthelper_dump_table() used a goto restart path that jumped back into the loop body after the for loop had already advanced cb->args[0] to nf_ct_helper_hsize. If the "last" helper stored in cb->args[1] was deleted between dump rounds, the loop could complete without clearing cb->args[1], and the restart would bypass the bounds check and read nf_ct_helper_hash[nf_ct_helper_hsize]. The fix moves the restart block into the for-loop body so a retry only happens while the index is still in range. NVD classifies the weakness as CWE-125 and lists vulnerable kernel ranges ending before 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, and 6.19.9, plus 7.0-rc1 through 7.0-rc3.

Defensive priority

High. This is a kernel out-of-bounds read with confidentiality and availability impact, low attack complexity, and local privilege requirements.

Recommended defensive actions

  • Apply the kernel patches linked in the official references or move to a vendor build that includes the fix for your branch.
  • Inventory Linux kernel versions against the affected ranges published by NVD and prioritize systems running those releases.
  • If you maintain custom kernels or backports, confirm the nfnl_cthelper_dump_table() restart logic matches the patched control flow.
  • Track distro advisories and validate that security updates cover all deployed kernel variants, including release-candidate or custom builds where applicable.

Evidence notes

The vulnerability description states that nfnl_cthelper_dump_table() can perform an 8-byte out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize] when the saved "last" helper disappears between dump rounds. The CVE record and NVD detail are the primary sources, and the NVD record also provides the affected version ranges and CWE-125 classification. The linked git.kernel.org stable references are official patch artifacts tied to the fix.

Official resources

CVE published 2026-05-08T15:16:57.643Z and last modified 2026-05-21T16:57:23.840Z. This debrief uses the published CVE/NVD record and official kernel patch links only.