CVE-2026-43024
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
A vulnerability was found in the Linux kernel's netfilter nf_tables subsystem, allowing an immediate NF_QUEUE verdict. This verdict is not used by userspace nftables tools, and the ARP family lacks queue support, potentially leading to unexpected behavior.
Risk Assessment
The risk involves potential disruption of packet filtering in the ARP family, which could allow an attacker to bypass rules or cause a system crash.
Recommendation
It is recommended to immediately update the Linux kernel to a version containing the fix that rejects immediate NF_QUEUE verdicts in nf_tables.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: reject immediate NF_QUEUE verdict nft_queue is always used from userspace nftables to deliver the NF_QUEUE verdict. Immediately emitting an NF_QUEUE verdict is never used by the userspace nft tools, so reject immediate NF_QUEUE verdicts. The arp family does not provide queue support, but such an immediate verdict is still reachable. Globally reject NF_QUEUE immediate verdicts to address this issue.

