PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43452 Linux CVE debrief

CVE-2026-43452 is a Linux kernel netfilter flaw in x_tables option walkers. The issue is a missing end-of-buffer check when the last byte of an option area is not a single-byte option kind, allowing the walker logic in xt_tcpudp and xt_dccp to dereference one byte past the option region. NVD rates the issue HIGH with network attack vector, no privileges, no user interaction, and availability impact in addition to low confidentiality impact.

Vendor
Linux
Product
Unknown
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-21
Advisory published
2026-05-08
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distro security teams, embedded Linux vendors, and operators who rely on iptables/nftables or other netfilter-based filtering features, especially on affected kernel release lines.

Technical summary

The affected code path is in netfilter/x_tables option walkers used by xt_tcpudp and xt_dccp. The walker logic advanced with an expression like i += op[i + 1] ? : 1, but when i reached the final byte of the option area, op[i + 1] could be read past the end of the buffer. The resolved fix adds an explicit i == optlen - 1 check before dereferencing op[i + 1]. NVD lists affected Linux kernel ranges across multiple branches, including 2.6.16 through versions before 5.10.253, 5.11 through before 5.15.203, 5.16 through before 6.1.167, 6.2 through before 6.6.130, 6.7 through before 6.12.78, 6.13 through before 6.18.19, 6.19 through before 6.19.9, and early 7.0 release candidates rc1, rc2, and rc3.

Defensive priority

High. This is a kernel-level memory-safety issue in widely deployed networking code, with network-based attack conditions and broad affected version coverage. Patch deployment should be prioritized for internet-facing and multi-tenant systems, then rolled into all supported kernel branches and vendor backports.

Recommended defensive actions

  • Apply the vendor/stable kernel updates referenced by the linked patches as soon as practical.
  • Verify whether any production kernels fall within the affected version ranges listed by NVD, including vendor backported builds.
  • Prioritize remediation on systems that expose netfilter-managed packet filtering or routing paths.
  • Track downstream distro advisories for backported fixes if you do not run mainline kernel versions.
  • After patching, confirm the running kernel build includes the x_tables walker fix in xt_tcpudp and xt_dccp.

Evidence notes

This debrief is based on the official NVD CVE record and the linked Linux kernel stable patch references. The description in the source item states that xt_tcpudp and xt_dccp option walkers could read op[i + 1] past the end of the option area and that an explicit tail-byte check was added. NVD metadata provides the affected version ranges and CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H. No KEV listing was provided in the supplied corpus.

Official resources

CVE published 2026-05-08 and last modified 2026-05-21 in the supplied official records. No CISA KEV entry was provided in the source corpus.