PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43453 Linux CVE debrief

CVE-2026-43453 is a Linux kernel memory-safety flaw in netfilter's nft_set_pipapo code. The bug occurs in pipapo_drop(), which passes rulemap[i + 1].n to pipapo_unmap() on every loop iteration, including the last one. On that final iteration, the code reads one element past the end of the stack-allocated rulemap array. The issue was confirmed by KASAN as a stack-out-of-bounds read, and the upstream fix replaces the final to_offset argument with 0.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-21
Advisory published
2026-05-08
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distribution kernel teams, embedded/device vendors, and administrators running affected kernel releases with nftables/netfilter support should prioritize this issue. Systems that allow local users or untrusted workloads are especially relevant because the CVSS vector indicates local, low-privilege attack conditions.

Technical summary

The vulnerable path is in nft_set_pipapo::pipapo_drop(). rulemap is a stack array sized for NFT_PIPAPO_MAX_FIELDS (16), but the function evaluates rulemap[i + 1].n even when i is the last valid field index. That makes the call-site argument itself an out-of-bounds stack read before pipapo_unmap() can return early. NVD lists the weakness as CWE-125 and rates the issue CVSS 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H). Affected kernel ranges in the NVD record include 5.6 through before 5.10.253, 5.11 through before 5.15.203, 5.16 through before 6.1.167, 6.2 through before 6.6.130, 6.7 through before 6.12.78, 6.13 through before 6.18.19, 6.19 through before 6.19.9, plus 7.0-rc1 through rc3.

Defensive priority

High. This is a confirmed kernel memory-safety bug with a local attack surface and published fixes in official kernel branches.

Recommended defensive actions

  • Upgrade to a kernel release that includes the official fix in the affected stable branch you run.
  • If immediate upgrading is not possible, treat systems running nftables/netfilter workloads as higher priority for patching and maintenance windows.
  • Verify whether your kernel version falls within one of the vulnerable ranges listed by NVD, including the affected release branches and release candidates.
  • Apply vendor backports for downstream kernels rather than assuming a higher mainline version number alone is sufficient.
  • Track distro advisories or kernel changelogs for the specific stable commit that removes the out-of-bounds read in pipapo_drop().

Evidence notes

The supplied CVE description states that pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() on every iteration, including the last one, which reads one element past the end of the stack-allocated rulemap array. It also includes a KASAN report showing a stack-out-of-bounds read in pipapo_drop+0x50c/0x57c [nf_tables] with the buggy address exactly 4 bytes past the end of rulemap. NVD marks the issue as analyzed, assigns CWE-125, and provides affected version ranges and stable patch references.

Official resources

Published in CVE/NVD on 2026-05-08 and last modified on 2026-05-21. The official record links to multiple kernel stable patch references on git.kernel.org.