CVE-2026-43027

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-43027
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_helper: pass helper to expect cleanup nf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy() to remove expectations belonging to the helper being unregistered. However, it passes NULL instead of the helper pointer as the data argument, so expect_iter_me() never matches any expectation and all of them survive the cleanup. After unregister returns, nfnl_cthelper_del() frees the helper object immediately. Subsequent expectation dumps or packet-driven init_conntrack() calls then dereference the freed exp->helper, causing a use-after-free. Pass the actual helper pointer so expectations referencing it are properly destroyed before the helper object is freed. BUG: KASAN: slab-use-after-free in string+0x38f/0x430 Read of size 1 at addr ffff888003b14d20 by task poc/103 Call Trace: string+0x38f/0x430 vsnprintf+0x3cc/0x1170 seq_printf+0x17a/0x240 exp_seq_show+0x2e5/0x560 seq_read_iter+0x419/0x1280 proc_reg_read+0x1ac/0x270 vfs_read+0x179/0x930 ksys_read+0xef/0x1c0 Freed by task 103: The buggy address is located 32 bytes inside of freed 192-byte region [ffff888003b14d00, ffff888003b14dc0)

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/2c16e4d64dd91227742dfe196a3e7b0568bef65a Patch
https://git.kernel.org/stable/c/2cf2737c85a2ba2b52024dafe68ffad2676f97be Patch
https://git.kernel.org/stable/c/504ba4168466c91210c45acdc332479cfd5f2da6 Patch
https://git.kernel.org/stable/c/5cf28d5c8dcbbe8af6d3b145babe491906d7bad1 Patch
https://git.kernel.org/stable/c/620f3d14c1ef51d425060a3056ad8dbae8f998a3 Patch
https://git.kernel.org/stable/c/90bd7e8501349db3006d21fbc09df9ffcb172965 Patch
https://git.kernel.org/stable/c/a242a9ae58aa46ff7dae51ce64150a93957abe65 Patch
https://git.kernel.org/stable/c/dc1739eff48e34cc71d4e2f03715493fbcebd8af Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
History

08 May 2026, 18:29

Type Values Removed Values Added
CPE cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
References () https://git.kernel.org/stable/c/2c16e4d64dd91227742dfe196a3e7b0568bef65a - () https://git.kernel.org/stable/c/2c16e4d64dd91227742dfe196a3e7b0568bef65a - Patch
References () https://git.kernel.org/stable/c/2cf2737c85a2ba2b52024dafe68ffad2676f97be - () https://git.kernel.org/stable/c/2cf2737c85a2ba2b52024dafe68ffad2676f97be - Patch
References () https://git.kernel.org/stable/c/504ba4168466c91210c45acdc332479cfd5f2da6 - () https://git.kernel.org/stable/c/504ba4168466c91210c45acdc332479cfd5f2da6 - Patch
References () https://git.kernel.org/stable/c/5cf28d5c8dcbbe8af6d3b145babe491906d7bad1 - () https://git.kernel.org/stable/c/5cf28d5c8dcbbe8af6d3b145babe491906d7bad1 - Patch
References () https://git.kernel.org/stable/c/620f3d14c1ef51d425060a3056ad8dbae8f998a3 - () https://git.kernel.org/stable/c/620f3d14c1ef51d425060a3056ad8dbae8f998a3 - Patch
References () https://git.kernel.org/stable/c/90bd7e8501349db3006d21fbc09df9ffcb172965 - () https://git.kernel.org/stable/c/90bd7e8501349db3006d21fbc09df9ffcb172965 - Patch
References () https://git.kernel.org/stable/c/a242a9ae58aa46ff7dae51ce64150a93957abe65 - () https://git.kernel.org/stable/c/a242a9ae58aa46ff7dae51ce64150a93957abe65 - Patch
References () https://git.kernel.org/stable/c/dc1739eff48e34cc71d4e2f03715493fbcebd8af - () https://git.kernel.org/stable/c/dc1739eff48e34cc71d4e2f03715493fbcebd8af - Patch
First Time Linux linux Kernel
Linux
CWE CWE-416
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.8

01 May 2026, 15:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-05-01 15:16

Updated : 2026-05-08 18:29

NVD link : CVE-2026-43027

Mitre link : CVE-2026-43027

CVE.ORG link : CVE-2026-43027

JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free