{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43450", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-01T14:12:56.010Z", "datePublished": "2026-05-08T14:22:15.915Z", "dateUpdated": "2026-05-08T14:22:15.915Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-08T14:22:15.915Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()\n\nnfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label\ninside the for loop body. When the \"last\" helper saved in cb->args[1]\nis deleted between dump rounds, every entry fails the (cur != last)\ncheck, so cb->args[1] is never cleared. The for loop finishes with\ncb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back\ninto the loop body bypassing the bounds check, causing an 8-byte\nout-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize].\n\nThe 'goto restart' block was meant to re-traverse the current bucket\nwhen \"last\" is no longer found, but it was placed after the for loop\ninstead of inside it. Move the block into the for loop body so that\nthe restart only occurs while cb->args[0] is still within bounds.\n\n BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0\n Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131\n Call Trace:\n nfnl_cthelper_dump_table+0x9f/0x1b0\n netlink_dump+0x333/0x880\n netlink_recvmsg+0x3e2/0x4b0\n sock_recvmsg+0xde/0xf0\n __sys_recvfrom+0x150/0x200\n __x64_sys_recvfrom+0x76/0x90\n do_syscall_64+0xc3/0x6e0\n\n Allocated by task 1:\n __kvmalloc_node_noprof+0x21b/0x700\n nf_ct_alloc_hashtable+0x65/0xd0\n nf_conntrack_helper_init+0x21/0x60\n nf_conntrack_init_start+0x18d/0x300\n nf_conntrack_standalone_init+0x12/0xc0"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nfnetlink_cthelper.c"], "versions": [{"version": "12f7a505331e6b2754684b509f2ac8f0011ce644", "lessThan": "0605e1985a95d4334a67869aee45a47e82301abf", "status": "affected", "versionType": "git"}, {"version": "12f7a505331e6b2754684b509f2ac8f0011ce644", "lessThan": "92441f6d9405a0c18d03f278b395e782f79a4a30", "status": "affected", "versionType": "git"}, {"version": "12f7a505331e6b2754684b509f2ac8f0011ce644", "lessThan": "3cc328ffc32ddb389cba7b78b6aa95d995c2876e", "status": "affected", "versionType": "git"}, {"version": "12f7a505331e6b2754684b509f2ac8f0011ce644", "lessThan": "4a1f6ee69267a5f524102c028981410eeacfa3da", "status": "affected", "versionType": "git"}, {"version": "12f7a505331e6b2754684b509f2ac8f0011ce644", "lessThan": "894c5780ddadd5fde0e16f66587918e6be1504c4", "status": "affected", "versionType": "git"}, {"version": "12f7a505331e6b2754684b509f2ac8f0011ce644", "lessThan": "05018cd9370f77bb18fbf6e15ff33c7a06f10b3c", "status": "affected", "versionType": "git"}, {"version": "12f7a505331e6b2754684b509f2ac8f0011ce644", "lessThan": "61b3a1f8621df1a5928118313f133996f6a786db", "status": "affected", "versionType": "git"}, {"version": "12f7a505331e6b2754684b509f2ac8f0011ce644", "lessThan": "6dcee8496d53165b2d8a5909b3050b62ae71fe89", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nfnetlink_cthelper.c"], "versions": [{"version": "3.6", "status": "affected"}, {"version": "0", "lessThan": "3.6", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.19", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.9", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "6.18.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "6.19.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0605e1985a95d4334a67869aee45a47e82301abf"}, {"url": "https://git.kernel.org/stable/c/92441f6d9405a0c18d03f278b395e782f79a4a30"}, {"url": "https://git.kernel.org/stable/c/3cc328ffc32ddb389cba7b78b6aa95d995c2876e"}, {"url": "https://git.kernel.org/stable/c/4a1f6ee69267a5f524102c028981410eeacfa3da"}, {"url": "https://git.kernel.org/stable/c/894c5780ddadd5fde0e16f66587918e6be1504c4"}, {"url": "https://git.kernel.org/stable/c/05018cd9370f77bb18fbf6e15ff33c7a06f10b3c"}, {"url": "https://git.kernel.org/stable/c/61b3a1f8621df1a5928118313f133996f6a786db"}, {"url": "https://git.kernel.org/stable/c/6dcee8496d53165b2d8a5909b3050b62ae71fe89"}], "title": "netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()\n\nnfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label\ninside the for loop body. When the \"last\" helper saved in cb->args[1]\nis deleted between dump rounds, every entry fails the (cur != last)\ncheck, so cb->args[1] is never cleared. The for loop finishes with\ncb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back\ninto the loop body bypassing the bounds check, causing an 8-byte\nout-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize].\n\nThe 'goto restart' block was meant to re-traverse the current bucket\nwhen \"last\" is no longer found, but it was placed after the for loop\ninstead of inside it. Move the block into the for loop body so that\nthe restart only occurs while cb->args[0] is still within bounds.\n\n BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0\n Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131\n Call Trace:\n nfnl_cthelper_dump_table+0x9f/0x1b0\n netlink_dump+0x333/0x880\n netlink_recvmsg+0x3e2/0x4b0\n sock_recvmsg+0xde/0xf0\n __sys_recvfrom+0x150/0x200\n __x64_sys_recvfrom+0x76/0x90\n do_syscall_64+0xc3/0x6e0\n\n Allocated by task 1:\n __kvmalloc_node_noprof+0x21b/0x700\n nf_ct_alloc_hashtable+0x65/0xd0\n nf_conntrack_helper_init+0x21/0x60\n nf_conntrack_init_start+0x18d/0x300\n nf_conntrack_standalone_init+0x12/0xc0"}], "id": "CVE-2026-43450", "lastModified": "2026-05-08T15:16:57.643", "metrics": {}, "published": "2026-05-08T15:16:57.643", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/05018cd9370f77bb18fbf6e15ff33c7a06f10b3c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0605e1985a95d4334a67869aee45a47e82301abf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3cc328ffc32ddb389cba7b78b6aa95d995c2876e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4a1f6ee69267a5f524102c028981410eeacfa3da"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/61b3a1f8621df1a5928118313f133996f6a786db"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6dcee8496d53165b2d8a5909b3050b62ae71fe89"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/894c5780ddadd5fde0e16f66587918e6be1504c4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/92441f6d9405a0c18d03f278b395e782f79a4a30"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}