Bug 2467021 (CVE-2026-43084) - CVE-2026-43084 kernel: netfilter: nfnetlink_queue: make hash table per queue
Summary: CVE-2026-43084 kernel: netfilter: nfnetlink_queue: make hash table per queue
Keywords:
Status: NEW
Alias: CVE-2026-43084
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-06 10:03 UTC by OSIDB Bzimport
Modified: 2026-05-06 13:23 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-06 10:03:33 UTC 
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_queue: make hash table per queue

Sharing a global hash table among all queues is tempting, but
it can cause crash:

BUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]
[..]
 nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]
 nfnetlink_rcv_msg+0x46a/0x930
 kmem_cache_alloc_node_noprof+0x11e/0x450

struct nf_queue_entry is freed via kfree, but parallel cpu can still
encounter such an nf_queue_entry when walking the list.

Alternative fix is to free the nf_queue_entry via kfree_rcu() instead,
but as we have to alloc/free for each skb this will cause more mem
pressure.
Comment 1 Alexander B 2026-05-06 13:20:56 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050615-CVE-2026-43084-963f@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.