CVE-2026-43060

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_ct: drop pending enqueued packets on removal

Packets sitting in nfqueue might hold a reference to:

- templates that specify the conntrack zone, because a percpu area is used and module removal is possible. - conntrack timeout policies and helper, where object removal leave a stale reference.

Since these objects can just go away, drop enqueued packets to avoid stale reference to them.

If there is a need for finer grain removal, this logic can be revisited to make selective packet drop upon dependencies.