From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-cve-announce@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@kernel.org>
Subject: CVE-2026-43453: netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
Date: Fri, 8 May 2026 16:23:02 +0200 [thread overview]
Message-ID: <2026050858-CVE-2026-43453-fbba@gregkh> (raw)
From: Greg Kroah-Hartman <gregkh@kernel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the
to_offset argument on every iteration, including the last one where
i == m->field_count - 1. This reads one element past the end of the
stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS]
with NFT_PIPAPO_MAX_FIELDS == 16).
Although pipapo_unmap() returns early when is_last is true without
using the to_offset value, the argument is evaluated at the call site
before the function body executes, making this a genuine out-of-bounds
stack read confirmed by KASAN:
BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables]
Read of size 4 at addr ffff8000810e71a4
This frame has 1 object:
[32, 160) 'rulemap'
The buggy address is at offset 164 -- exactly 4 bytes past the end
of the rulemap array.
Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid
the out-of-bounds read.
The Linux kernel CVE team has assigned CVE-2026-43453 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 5.10.253 with commit 1957e793196e7f8557374fd4eda53abcbb42e1c0
Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 5.15.203 with commit 57fb87ca095d5127cd7a27583b8ec43dcf7c9e9e
Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 6.1.167 with commit 60c1d18781e37bfb96290b86510eb01c5fa24d75
Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 6.6.130 with commit 0a55d62cdb628923d8a21724374a70c76ac7d19d
Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 6.12.78 with commit dfbdac719198778b581bc0dd055df2542edb8c62
Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 6.18.19 with commit e047f6fbb975f685d6c9fcef95b3b7787a79b46d
Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 6.19.9 with commit 324b749aa5b2d516ccfab933df9d3f56e7807f5f
Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 7.0 with commit d6d8cd2db236a9dd13dbc2d05843b3445cc964b5
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2026-43453
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/netfilter/nft_set_pipapo.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/1957e793196e7f8557374fd4eda53abcbb42e1c0
https://git.kernel.org/stable/c/57fb87ca095d5127cd7a27583b8ec43dcf7c9e9e
https://git.kernel.org/stable/c/60c1d18781e37bfb96290b86510eb01c5fa24d75
https://git.kernel.org/stable/c/0a55d62cdb628923d8a21724374a70c76ac7d19d
https://git.kernel.org/stable/c/dfbdac719198778b581bc0dd055df2542edb8c62
https://git.kernel.org/stable/c/e047f6fbb975f685d6c9fcef95b3b7787a79b46d
https://git.kernel.org/stable/c/324b749aa5b2d516ccfab933df9d3f56e7807f5f
https://git.kernel.org/stable/c/d6d8cd2db236a9dd13dbc2d05843b3445cc964b5
reply other threads:[~2026-05-08 14:26 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026050858-CVE-2026-43453-fbba@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=cve@kernel.org \
--cc=gregkh@kernel.org \
--cc=linux-cve-announce@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox