CVE-2026-43025
Published: 01 May 2026
Summary
CVE-2026-43025 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Applying upstream kernel patches directly remediates the mishandling of userspace-specified helpers in ctnetlink_new_expect that triggers slab-out-of-bounds reads in nf_ct_expect_related_report.
Enforces validation of userspace netlink inputs like CTA_EXPECT_CLASS to prevent invalid helper specifications from causing out-of-bounds kernel memory access.
Implements memory protection mechanisms such as bounds checking to mitigate slab-out-of-bounds reads beyond expectation boundaries in the netfilter ctnetlink subsystem.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel vulnerability in ctnetlink allowing low-privileged users to trigger arbitrary kernel memory reads via crafted netlink messages; this directly enables exploitation for privilege escalation (info leak can facilitate further attacks despite low integrity impact).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: ignore explicit helper on new expectations Use the existing master conntrack helper, anything else is not really supported and it just makes validation more complicated, so just ignore…
more
what helper userspace suggests for this expectation. This was uncovered when validating CTA_EXPECT_CLASS via different helper provided by userspace than the existing master conntrack helper: BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0 Read of size 4 at addr ffff8880043fe408 by task poc/102 Call Trace: nf_ct_expect_related_report+0x2479/0x27c0 ctnetlink_create_expect+0x22b/0x3b0 ctnetlink_new_expect+0x4bd/0x5c0 nfnetlink_rcv_msg+0x67a/0x950 netlink_rcv_skb+0x120/0x350 Allowing to read kernel memory bytes off the expectation boundary. CTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace via netlink dump.
Deeper analysisAI
CVE-2026-43025 is a vulnerability in the Linux kernel's netfilter ctnetlink subsystem, where explicit helper suggestions from userspace for new connection tracking expectations are mishandled. Instead of using the provided helper, the kernel relies on the master conntrack helper, but validation fails when a different helper is specified via CTA_EXPECT_CLASS. This triggers a slab-out-of-bounds read in nf_ct_expect_related_report during ctnetlink_new_expect processing, allowing kernel memory bytes to be read beyond the expectation boundary, as detected by KASAN.
A local attacker with low privileges (PR:L) can exploit this via netlink messages to the ctnetlink interface, requiring low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation yields high confidentiality impact through arbitrary kernel memory reads, low integrity impact, and high availability impact, with an unaugmented scope (S:U), as scored at CVSS 7.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H).
Mitigation involves applying upstream kernel patches from the referenced stable commits, such as 0f6c33697ccfac6499d0b7a4dbdec5d3a3a566cd, which enforce ignoring userspace-specified helpers for new expectations while preserving CTA_EXPECT_HELP_NAME for netlink dumps to userspace. Systems should update to patched kernel versions to prevent exploitation.
Details
- CWE(s)