VYPR
← All advisories
High severity7.1NVD Advisory· Published May 1, 2026· Updated May 8, 2026

CVE-2026-43028

CVE-2026-43028

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: x_tables: ensure names are nul-terminated

Reject names that lack a \0 character before feeding them to functions that expect c-strings.

Fixes tag is the most recent commit that needs this change.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing nul-termination check in netfilter x_tables allows crafted table names to cause buffer over-read or information disclosure.

Vulnerability

CVE-2026-43028 is a high-severity vulnerability in the Linux kernel's netfilter subsystem, specifically in the x_tables module. The flaw occurs because the kernel does not verify that table name validation without ensuring the name string is properly nul-terminated before passing it to functions that expect C-strings. This can lead to buffer over-read or information disclosure if a crafted table name lacking a null byte is provided.

Exploitation

An attacker with the ability to create or manipulate netfilter rules (typically requiring root or CAP_NET_ADMIN) can supply a table name that is not nul-terminated. When the kernel processes this name, functions like strcmp or strlen may read beyond the intended buffer, potentially leaking kernel memory. No network-based attack vector is described; local access with sufficient privileges is required.

Impact

Successful exploitation could allow an attacker to read sensitive kernel memory (information disclosure) or potentially cause a denial of service. The CVSS v3 score of 7.1 reflects the high reflects the potential for confidentiality impact. The vulnerability does not directly enable privilege escalation or remote code execution based on the available information.

Mitigation

The fix has been applied to the Linux kernel stable tree via commits [1], [2], [3], and [4]. Users should update to a kernel version containing these patches. No workaround is mentioned; the only mitigation is to apply the kernel update.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

8
  • Linux/Kernelinferred8 versions
    (expand)+ 7 more
    • (no CPE)
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=4.5,<5.10.253
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

News mentions

0

No linked articles in our index yet.