CVE-2026-43116
Detail
Modified After Enrichment
This CVE record has been updated after NVD enrichment efforts were completed. Enrichment data supplied by the NVD may require amendment due to these changes.
Description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: ensure safe access to master conntrack
Holding reference on the expectation is not sufficient, the master
conntrack object can just go away, making exp->master invalid.
To access exp->master safely:
- Grab the nf_conntrack_expect_lock, this gets serialized with
clean_from_lists() which also holds this lock when the master
conntrack goes away.
- Hold reference on master conntrack via nf_conntrack_find_get().
Not so easy since the master tuple to look up for the master conntrack
is not available in the existing problematic paths.
This patch goes for extending the nf_conntrack_expect_lock section
to address this issue for simplicity, in the cases that are described
below this is just slightly extending the lock section.
The add expectation command already holds a reference to the master
conntrack from ctnetlink_create_expect().
However, the delete expectation command needs to grab the spinlock
before looking up for the expectation. Expand the existing spinlock
section to address this to cover the expectation lookup. Note that,
the nf_ct_expect_iterate_net() calls already grabs the spinlock while
iterating over the expectation table, which is correct.
The get expectation command needs to grab the spinlock to ensure master
conntrack does not go away. This also expands the existing spinlock
section to cover the expectation lookup too. I needed to move the
netlink skb allocation out of the spinlock to keep it GFP_KERNEL.
For the expectation events, the IPEXP_DESTROY event is already delivered
under the spinlock, just move the delivery of IPEXP_NEW under the
spinlock too because the master conntrack event cache is reached through
exp->master.
While at it, add lockdep notations to help identify what codepaths need
to grab the spinlock.
Metrics
β
NVD enrichment efforts reference publicly available information to associate
vector strings. CVSS information contributed by other sources is also
displayed.
CVSS 4.0 Severity and Vector Strings:
NVD assessment
not yet provided.
CVSS 3.x Severity and Vector Strings:
Base
Score:
NVD assessment
not yet provided.
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0 Severity and Vector Strings:
Base
Score:
NVD assessment
not yet provided.
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace.
We have provided these links to other web sites because they
may have information that would be of interest to you. No
inferences should be drawn on account of other sites being
referenced, or not, from this page. There may be other web
sites that are more appropriate for your purpose. NIST does
not necessarily endorse the views expressed, or concur with
the facts presented on these sites. Further, NIST does not
endorse any commercial products that may be mentioned on
these sites. Please address comments about this page to [email protected].
Change History
5 change records found show changes
CVE Modified by kernel.org
6/19/2026 9:16:28 AM
| Action |
Type |
Old Value |
New Value |
| Added |
Reference |
https://git.kernel.org/stable/c/5e1c1d22268ae710c238342c8030c21daf298168
|
| Added |
Reference |
https://git.kernel.org/stable/c/9e1196d27ef496f404c76f7a9d03761142d991c4
|
| Added |
Reference |
https://git.kernel.org/stable/c/d52fa1fa7440676b8c238037a050ab008c22737f
|
| Changed |
Affected |
[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["include/net/netfilter/nf_conntrack_core.h","net/netfilter/nf_conntrack_ecache.c","net/netfilter/nf_conntrack_expect.c","net/netfilter/nf_conntrack_netlink.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"c1d10adb4a521de5760112853f42aaeefcec96eb","lessThan":"f338ced0473849c9f6ed0b77ca99f1aab5826787","versionType":"git","status":"affected"},{"version":"c1d10adb4a521de5760112853f42aaeefcec96eb","lessThan":"497f99b26fffdc5635706d1b4811f1ed8ee21a5b","versionType":"git","status":"affected"},{"version":"c1d10adb4a521de5760112853f42aaeefcec96eb","lessThan":"bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["include/net/netfilter/nf_conntrack_core.h","net/netfilter/nf_conntrack_ecache.c","net/netfilter/nf_conntrack_expect.c","net/netfilter/nf_conntrack_netlink.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.16","status":"affected"},{"version":"0","lessThan":"2.6.16","versionType":"semver","status":"unaffected"},{"version":"6.18.24","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.14","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]
|
Record truncated, showing 2048 of 2243 characters.
View Entire Change Record
[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["include/net/netfilter/nf_conntrack_core.h","net/netfilter/nf_conntrack_ecache.c","net/netfilter/nf_conntrack_expect.c","net/netfilter/nf_conntrack_netlink.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"c1d10adb4a521de5760112853f42aaeefcec96eb","lessThan":"9e1196d27ef496f404c76f7a9d03761142d991c4","versionType":"git","status":"affected"},{"version":"c1d10adb4a521de5760112853f42aaeefcec96eb","lessThan":"5e1c1d22268ae710c238342c8030c21daf298168","versionType":"git","status":"affected"},{"version":"c1d10adb4a521de5760112853f42aaeefcec96eb","lessThan":"d52fa1fa7440676b8c238037a050ab008c22737f","versionType":"git","status":"affected"},{"version":"c1d10adb4a521de5760112853f42aaeefcec96eb","lessThan":"f338ced0473849c9f6ed0b77ca99f1aab5826787","versionType":"git","status":"affected"},{"version":"c1d10adb4a521de5760112853f42aaeefcec96eb","lessThan":"497f99b26fffdc5635706d1b4811f1ed8ee21a5b","versionType":"git","status":"affected"},{"version":"c1d10adb4a521de5760112853f42aaeefcec96eb","lessThan":"bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["include/net/netfilter/nf_conntrack_core.h","net/netfilter/nf_conntrack_ecache.c","net/netfilter/nf_conntrack_expect.c","net/netfilter/nf_conntrack_netlink.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.16","status":"affected"},{"version":"0","lessThan":"2.6.16","versionType":"semver","status":"unaffected"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.6.143","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.12.94","lessThanOrEqual":"6.12.*","versionType":"semver","status":"unaffected"},{"version":"6.18.24","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"v
|
CVE Modified by kernel.org
6/17/2026 6:48:57 AM
| Action |
Type |
Old Value |
New Value |
| Added |
Affected |
[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["include/net/netfilter/nf_conntrack_core.h","net/netfilter/nf_conntrack_ecache.c","net/netfilter/nf_conntrack_expect.c","net/netfilter/nf_conntrack_netlink.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"c1d10adb4a521de5760112853f42aaeefcec96eb","lessThan":"f338ced0473849c9f6ed0b77ca99f1aab5826787","versionType":"git","status":"affected"},{"version":"c1d10adb4a521de5760112853f42aaeefcec96eb","lessThan":"497f99b26fffdc5635706d1b4811f1ed8ee21a5b","versionType":"git","status":"affected"},{"version":"c1d10adb4a521de5760112853f42aaeefcec96eb","lessThan":"bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["include/net/netfilter/nf_conntrack_core.h","net/netfilter/nf_conntrack_ecache.c","net/netfilter/nf_conntrack_expect.c","net/netfilter/nf_conntrack_netlink.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"2.6.16","status":"affected"},{"version":"0","lessThan":"2.6.16","versionType":"semver","status":"unaffected"},{"version":"6.18.24","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.14","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]
|
Initial Analysis by NIST
5/08/2026 1:49:36 PM
| Action |
Type |
Old Value |
New Value |
| Added |
CWE |
CWE-362
|
| Added |
CPE Configuration |
OR
*cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
*cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
*cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
*cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
*cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
*cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.19 up to (excluding) 6.19.14
*cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 2.6.16 up to (excluding) 6.18.24
|
| Added |
Reference Type |
kernel.org: https://git.kernel.org/stable/c/497f99b26fffdc5635706d1b4811f1ed8ee21a5b Types: Patch
|
| Added |
Reference Type |
kernel.org: https://git.kernel.org/stable/c/bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5 Types: Patch
|
| Added |
Reference Type |
kernel.org: https://git.kernel.org/stable/c/f338ced0473849c9f6ed0b77ca99f1aab5826787 Types: Patch
|
CVE Modified by kernel.org
5/08/2026 9:16:39 AM
| Action |
Type |
Old Value |
New Value |
| Added |
CVSS V3.1 |
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
New CVE Received from kernel.org
5/06/2026 6:16:25 AM
| Action |
Type |
Old Value |
New Value |
| Added |
Description |
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: ensure safe access to master conntrack
Holding reference on the expectation is not sufficient, the master
conntrack object can just go away, making exp->master invalid.
To access exp->master safely:
- Grab the nf_conntrack_expect_lock, this gets serialized with
clean_from_lists() which also holds this lock when the master
conntrack goes away.
- Hold reference on master conntrack via nf_conntrack_find_get().
Not so easy since the master tuple to look up for the master conntrack
is not available in the existing problematic paths.
This patch goes for extending the nf_conntrack_expect_lock section
to address this issue for simplicity, in the cases that are described
below this is just slightly extending the lock section.
The add expectation command already holds a reference to the master
conntrack from ctnetlink_create_expect().
However, the delete expectation command needs to grab the spinlock
before looking up for the expectation. Expand the existing spinlock
section to address this to cover the expectation lookup. Note that,
the nf_ct_expect_iterate_net() calls already grabs the spinlock while
iterating over the expectation table, which is correct.
The get expectation command needs to grab the spinlock to ensure master
conntrack does not go away. This also expands the existing spinlock
section to cover the expectation lookup too. I needed to move the
netlink skb allocation out of the spinlock to keep it GFP_KERNEL.
For the expectation events, the IPEXP_DESTROY event is already delivered
under the spinlock, just move the delivery of IPEXP_NEW under the
spinlock too because the master conntrack event cache is reached through
exp->master.
While at it, add lockdep notations to help identify what codepaths need
to grab the spinlock.
|
| Added |
Reference |
https://git.kernel.org/stable/c/497f99b26fffdc5635706d1b4811f1ed8ee21a5b
|
| Added |
Reference |
https://git.kernel.org/stable/c/bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5
|
| Added |
Reference |
https://git.kernel.org/stable/c/f338ced0473849c9f6ed0b77ca99f1aab5826787
|
Quick Info
CVE Dictionary Entry: CVE-2026-43116 NVD
Published Date: 05/06/2026 NVD
Last Modified: 06/19/2026
Source: kernel.org
|
