Bug 2467005 (CVE-2026-43116) - CVE-2026-43116 kernel: netfilter: ctnetlink: ensure safe access to master conntrack
Summary: CVE-2026-43116 kernel: netfilter: ctnetlink: ensure safe access to master con...
Keywords:
Status: NEW
Alias: CVE-2026-43116
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-06 10:02 UTC by OSIDB Bzimport
Modified: 2026-06-22 06:02 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:21557 0 None None None 2026-05-28 01:20:03 UTC
Red Hat Product Errata RHSA-2026:25217 0 None None None 2026-06-11 10:13:33 UTC
Red Hat Product Errata RHSA-2026:26462 0 None None None 2026-06-17 01:13:59 UTC
Red Hat Product Errata RHSA-2026:26515 0 None None None 2026-06-17 06:33:36 UTC
Red Hat Product Errata RHSA-2026:26535 0 None None None 2026-06-17 09:18:45 UTC
Red Hat Product Errata RHSA-2026:26563 0 None None None 2026-06-17 11:58:32 UTC
Red Hat Product Errata RHSA-2026:26570 0 None None None 2026-06-17 13:19:45 UTC
Red Hat Product Errata RHSA-2026:27708 0 None None None 2026-06-22 05:56:00 UTC
Red Hat Product Errata RHSA-2026:27731 0 None None None 2026-06-22 05:04:16 UTC
Red Hat Product Errata RHSA-2026:27735 0 None None None 2026-06-22 06:02:09 UTC

Description OSIDB Bzimport 2026-05-06 10:02:48 UTC
In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: ensure safe access to master conntrack

Holding reference on the expectation is not sufficient, the master
conntrack object can just go away, making exp->master invalid.

To access exp->master safely:

- Grab the nf_conntrack_expect_lock, this gets serialized with
  clean_from_lists() which also holds this lock when the master
  conntrack goes away.

- Hold reference on master conntrack via nf_conntrack_find_get().
  Not so easy since the master tuple to look up for the master conntrack
  is not available in the existing problematic paths.

This patch goes for extending the nf_conntrack_expect_lock section
to address this issue for simplicity, in the cases that are described
below this is just slightly extending the lock section.

The add expectation command already holds a reference to the master
conntrack from ctnetlink_create_expect().

However, the delete expectation command needs to grab the spinlock
before looking up for the expectation. Expand the existing spinlock
section to address this to cover the expectation lookup. Note that,
the nf_ct_expect_iterate_net() calls already grabs the spinlock while
iterating over the expectation table, which is correct.

The get expectation command needs to grab the spinlock to ensure master
conntrack does not go away. This also expands the existing spinlock
section to cover the expectation lookup too. I needed to move the
netlink skb allocation out of the spinlock to keep it GFP_KERNEL.

For the expectation events, the IPEXP_DESTROY event is already delivered
under the spinlock, just move the delivery of IPEXP_NEW under the
spinlock too because the master conntrack event cache is reached through
exp->master.

While at it, add lockdep notations to help identify what codepaths need
to grab the spinlock.

Comment 10 errata-xmlrpc 2026-05-28 01:20:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:21557 https://access.redhat.com/errata/RHSA-2026:21557

Comment 11 errata-xmlrpc 2026-06-11 10:13:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:25217 https://access.redhat.com/errata/RHSA-2026:25217

Comment 12 errata-xmlrpc 2026-06-17 01:13:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:26462 https://access.redhat.com/errata/RHSA-2026:26462

Comment 13 errata-xmlrpc 2026-06-17 06:33:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:26515 https://access.redhat.com/errata/RHSA-2026:26515

Comment 14 errata-xmlrpc 2026-06-17 09:18:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:26535 https://access.redhat.com/errata/RHSA-2026:26535

Comment 15 errata-xmlrpc 2026-06-17 11:58:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:26563 https://access.redhat.com/errata/RHSA-2026:26563

Comment 16 errata-xmlrpc 2026-06-17 13:19:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On

Via RHSA-2026:26570 https://access.redhat.com/errata/RHSA-2026:26570

Comment 18 errata-xmlrpc 2026-06-22 05:04:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:27731 https://access.redhat.com/errata/RHSA-2026:27731

Comment 19 errata-xmlrpc 2026-06-22 05:55:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:27708 https://access.redhat.com/errata/RHSA-2026:27708

Comment 20 errata-xmlrpc 2026-06-22 06:02:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions

Via RHSA-2026:27735 https://access.redhat.com/errata/RHSA-2026:27735


Note You need to log in before you can comment on or make changes to this bug.