CVE-2026-43026

Vulnerability

CVE-2026-43026 is a kernel information disclosure vulnerability in the netfilter ctnetlink subsystem of the Linux kernel. The ctnetlink_alloc_expect() function allocates expectations from a non-zeroing slab cache via nf_ct_expect_alloc(). When CTA_EXPECT_NAT is not present in the netlink message, the saved_addr and saved_proto fields are never initialized, leaving stale data from a previous slab occupant. This stale data is then potentially dumped to userspace by ctnetlink_exp_dump_expect(), which checks these fields to decide whether to emit CTA_EXPECT_NAT [1].

Exploitation

An attacker with the ability to create netfilter expectations without specifying CTA_EXPECT_NAT can exploit this flaw. By first allocating NAT-bearing expectations to prime the slab, then freeing them and creating a new expectation without CTA_EXPECT_NAT, the attacker can cause the kernel to include a spurious CTA_EXPECT_NAT in the netlink dump, containing stale data from the prior allocation. No special privileges beyond the ability to interact with netfilter are required, but the attack is local to the kernel context.

Impact

Successful exploitation leads to an information disclosure, leaking kernel memory contents to userspace. The leaked data may contain sensitive information from previous use of the memory slab, potentially aiding further attacks. The CVSS v3 score is 5.5 (Medium), with the confidentiality impact rated as high, while integrity and availability are unaffected.

Mitigation

The issue is fixed by explicitly zeroing the saved_addr, saved_proto, and dir fields in the else branch when CTA_EXPECT_NAT is absent, guarded by IS_ENABLED(CONFIG_NF_NAT). Patches are available in the Linux kernel stable repositories [1][2][3][4]. Users should apply the latest kernel updates to remediate the vulnerability.