CVE-2026-43024
Description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: reject immediate NF_QUEUE verdict
nft_queue is always used from userspace nftables to deliver the NF_QUEUE verdict. Immediately emitting an NF_QUEUE verdict is never used by the userspace nft tools, so reject immediate NF_QUEUE verdicts.
The arp family does not provide queue support, but such an immediate verdict is still reachable. Globally reject NF_QUEUE immediate verdicts to address this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Linux kernel's netfilter nf_tables rejects immediate NF_QUEUE verdicts to prevent exploitation via the arp family which lacks queue support.
Vulnerability
Overview
CVE-2026-43024 affects the Linux kernel's netfilter subsystem, specifically the nf_tables module. The vulnerability arises because the code accepts an immediate `NF_QUEUE verdict even when the underlying protocol family, such as ARP, does not support packet queueing. The userspace nftables tool never emits such an immediate verdict, but a crafted or malicious rule set could trigger it, leading to unexpected behavior [1][2].
Attack
Vector
An attacker with the ability to load custom nftables rules (typically requiring root privileges or the CAP_NET_ADMIN capability) can inject an immediate NF_QUEUE verdict into an nftables rule. While the immediate verdict is not produced by legitimate nftables tools, the kernel does not block it, and when used with an ARP family table, the lack of queue support results in a reachable inconsistency [3].
Impact
Triggering the immediate NF_QUEUE verdict in the ARP family may cause the kernel to attempt to route a packet, but since there is no queue handler, the kernel could hit an error path or an uninitialized state. The precise impact depends on the kernel version and configuration, but it can lead to denial of service or undefined behavior. Because the capability requirement is high, the overall severity is rated Medium (CVSS 5.5) [4].
Mitigation
The fix globally rejects any immediate NF_QUEUE verdict in nf_tables, preventing the dangerous code path from being reached. The patch has been applied to the stable kernel branches; users should update to the latest kernel versions that include the commit [1][2][3][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
14cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=4.19.307,<4.20
- cpe:2.3:o:linux:linux_kernel:6.8:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.8:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.8:rc7:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/17dc5d5a935c771338430cbc156a16a51cfd31e8nvdPatch
- git.kernel.org/stable/c/2f7f825a548be55420f0f5f716f6c27b9d312d3fnvdPatch
- git.kernel.org/stable/c/42a47f4b1b7695026ab9bc1bb35d4622b0835c95nvdPatch
- git.kernel.org/stable/c/4b12a3cc3f075e750cc3c5e693fd25fb400af4a2nvdPatch
- git.kernel.org/stable/c/68390437a998c3f2c57212b413abef5e6d657d88nvdPatch
- git.kernel.org/stable/c/da107398cbd4bbdb6bffecb2ce86d5c9384f4cecnvdPatch
- git.kernel.org/stable/c/f140593901724cfbd16597c3a4fcb24a58ae44b0nvdPatch
- git.kernel.org/stable/c/f710691be163ae6b39e4bcab9e5be32d329f035bnvdPatch
News mentions
0No linked articles in our index yet.