CVE-2026-43085
Description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator
When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send() appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put() helper only zeroes alignment padding after the payload, not the payload itself, so four bytes of stale kernel heap data are leaked to userspace in the NLMSG_DONE message body.
Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes the nfgenmsg payload via nfnl_fill_hdr(), consistent with how __build_packet_message() already constructs NFULNL_MSG_PACKET headers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Linux kernel's nfnetlink_log, batching NFLOG messages causes a 4-byte kernel heap memory leak via an uninitialized NLMSG_DONE terminator.
Vulnerability
In the Linux kernel's netfilter subsystem, the nfnetlink_log module is used to send logging messages to userspace via netlink. When multiple NFLOG messages are batched (inst->qlen > 1), the function __nfulnl_send() appends an NLMSG_DONE terminator using nlmsg_put(). The helper nlmsg_put() only zeroes alignment padding after the payload, not the payload itself, leaving the struct nfgenmsg bytes uninitialized. As a result, four bytes of stale kernel heap data are leaked to userspace in the NLMSG_DONE message body.
Exploitation
An attacker capable of triggering netfilter logging events (e.g., via firewall rules or packet processing) can cause the batching condition to occur. No special privileges beyond the ability to interact with nfnetlink are required; the leak occurs automatically when the kernel sends batched log messages. The uninitialized data is sent directly to the receiving userspace application, making the leak trivially observable.
Impact
The vulnerability leads to an information disclosure of up to 4 bytes of kernel heap memory. While the leak is small, it may reveal sensitive information such as kernel pointers or other data used to defeat kernel address space layout randomization (KASLR) or to aid in further exploitation.
Mitigation
The issue is fixed in Linux kernel stable releases via commits [1][2][3][4]. Users should update their kernels to include these patches. No workarounds are available; the fix ensures that the NLMSG_DONE terminator is built with nfnl_msg_put(), which properly initializes the nfgenmsg structure.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/15d209bccf9273b4a8b4e579ba0e92d065b6ec8cnvd
- git.kernel.org/stable/c/1f3083aec8836213da441270cdb1ab612dd82cf4nvd
- git.kernel.org/stable/c/368c22aea490f6f50df831b4f9e3623787686c5bnvd
- git.kernel.org/stable/c/d1399632ba255d2e02c757af5d9f5d9279ce168cnvd
- git.kernel.org/stable/c/d552bcfca323d175664d7444989b04f55666978anvd
News mentions
0No linked articles in our index yet.