CVE-2026-43026
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
In the Linux kernel, a vulnerability in netfilter ctnetlink causes uninitialized saved_addr and saved_proto fields in expectation structures when CTA_EXPECT_NAT is missing, leaking stale data from previous slab allocations to userspace.
Risk Assessment
The organization risks exposure of sensitive data (e.g., IP addresses, ports) from prior NAT expectations, potentially allowing an attacker with local access to read confidential network information.
Recommendation
Immediately update the Linux kernel to a version that zeroes saved_addr, saved_proto, and dir fields when CTA_EXPECT_NAT is absent.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent ctnetlink_alloc_expect() allocates expectations from a non-zeroing slab cache via nf_ct_expect_alloc(). When CTA_EXPECT_NAT is not present in the netlink message, saved_addr and saved_proto are never initialized. Stale data from a previous slab occupant can then be dumped to userspace by ctnetlink_exp_dump_expect(), which checks these fields to decide whether to emit CTA_EXPECT_NAT. The safe sibling nf_ct_expect_init(), used by the packet path, explicitly zeroes these fields. Zero saved_addr, saved_proto and dir in the else branch, guarded by IS_ENABLED(CONFIG_NF_NAT) since these fields only exist when NAT is enabled. Confirmed by priming the expect slab with NAT-bearing expectations, freeing them, creating a new expectation without CTA_EXPECT_NAT, and observing that the ctnetlink dump emits a spurious CTA_EXPECT_NAT containing stale data from the prior allocation.

