CVE-2026-43088

Vulnerability

In the Linux kernel's PF_KEY implementation (net/af_key), the pfkey_sockaddr_fill() function initializes only the first 28 bytes of struct sockaddr_in6 when exporting IPv6 addresses, leaving the final 4 aligned bytes uninitialized [1]. The pfkey_sockaddr_size() function reserves 32 bytes on the wire for IPv6 addresses, but the fill routine does not zero the tail. This affects three PF_KEY message types that use skb_put() to append sockaddr payloads: SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, and SADB_X_MIGRATE [1]. Other dump builders already zero the entire message buffer and are not affected.

Exploitation

An attacker with the ability to trigger these specific PF_KEY messages—for example, through local access to manipulate SA/SP databases or via crafted netlink requests—can cause the kernel to export uninitialized kernel stack memory. No authentication is required beyond the ability to invoke affected operations, which may be available to unprivileged users depending on system configuration.

Impact

The uninitialized bytes can leak sensitive kernel memory contents, potentially exposing cryptographic keys, pointers, or other confidential data. This information disclosure vulnerability (CWE-200) could aid further exploitation by revealing internal kernel addresses or secrets.

Mitigation

The vulnerability is fixed by commits in the Linux kernel stable tree that clear the aligned sockaddr tail after pfkey_sockaddr_fill() [1]. Users should apply the latest kernel updates from their distribution. No workaround is available.