From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CCC4F3EF663
	for <linux-cve-announce@vger.kernel.org>; Fri,  8 May 2026 14:26:39 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778250399; cv=none; b=vCH98/fAhEpcY1nFpOKCCsM5ukxpnYIbNYpxvfP3YCRKh4U0rHdxZikRCLg8Zc02UbbTRKFeQDhFGHRJ06Lyh+LHI4Z5NmUqEh6siSfbyoDNPoRfG5EtTiPn17ch242nQwFMkg5eJ0UREYvAcI7mZTFklNNCEiw1lYfY2F8nlfQ=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778250399; c=relaxed/simple;
	bh=M2Z1Drie5NWNmThTPlHRJiqLiRcUz0dphZOiStu0r4g=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=SBGKPsskhTQw5g1ulj8g536MbveNmZkOXZjZ384Z3lw2RuvB95dk4NAuhsEhVbcQn/GvGpTXE5M/Nl12HqtJ10TSJmrBms0+wTP4RUacFdTN/OnlJUdXt9Fs8OVWhE5FcIbpmXHD81FKEywPO9OYhtD96BaelW4v9ji/I5jnh6k=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=lLyDY2h2; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="lLyDY2h2"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3263EC2BCB0;
	Fri,  8 May 2026 14:26:39 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
	s=korg; t=1778250399;
	bh=M2Z1Drie5NWNmThTPlHRJiqLiRcUz0dphZOiStu0r4g=;
	h=From:To:Cc:Subject:Date:Reply-To:From;
	b=lLyDY2h2iaQuLwWK5W2DDT4vGXYF8Vr8lD8qQM9n+2STgyaQ34H1JgmDaCou+NfK4
	 5MHrpf1lhn/4VUCQD8LEf2fyhbXxNycuRdAPIURNGOq4Q2CRLmIaHVnfyS9Ovc7bBJ
	 8I9lasseqt4l6HOIjHmCapDrGtjKRTePPY9Dp7Qk=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-cve-announce@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@kernel.org>
Subject: CVE-2026-43453: netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
Date: Fri,  8 May 2026 16:23:02 +0200
Message-ID: <2026050858-CVE-2026-43453-fbba@gregkh>
X-Mailer: git-send-email 2.54.0
Reply-To: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Precedence: bulk
X-Mailing-List: linux-cve-announce@vger.kernel.org
List-Id: <linux-cve-announce.vger.kernel.org>
List-Subscribe: <mailto:linux-cve-announce+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-cve-announce+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=4073; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=zhk92vK+qpaj0MXc/ODLxiTjx3D1Z5H0F26sx53QLwM=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P7aZ73ku9WlP+8T5mdqrJZYHzou1XWdwXVi14O6bp DtBFjlTOmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAij48zzLNQXCewQXndUn+/ sysS//18eqCs9w/DfB82vjrfDpNnyy3lxCa5znh/yUX8MwA=
X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29
Content-Transfer-Encoding: 8bit

From: Greg Kroah-Hartman <gregkh@kernel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()

pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the
to_offset argument on every iteration, including the last one where
i == m->field_count - 1. This reads one element past the end of the
stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS]
with NFT_PIPAPO_MAX_FIELDS == 16).

Although pipapo_unmap() returns early when is_last is true without
using the to_offset value, the argument is evaluated at the call site
before the function body executes, making this a genuine out-of-bounds
stack read confirmed by KASAN:

  BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables]
  Read of size 4 at addr ffff8000810e71a4

  This frame has 1 object:
   [32, 160) 'rulemap'

  The buggy address is at offset 164 -- exactly 4 bytes past the end
  of the rulemap array.

Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid
the out-of-bounds read.

The Linux kernel CVE team has assigned CVE-2026-43453 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 5.10.253 with commit 1957e793196e7f8557374fd4eda53abcbb42e1c0
	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 5.15.203 with commit 57fb87ca095d5127cd7a27583b8ec43dcf7c9e9e
	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 6.1.167 with commit 60c1d18781e37bfb96290b86510eb01c5fa24d75
	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 6.6.130 with commit 0a55d62cdb628923d8a21724374a70c76ac7d19d
	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 6.12.78 with commit dfbdac719198778b581bc0dd055df2542edb8c62
	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 6.18.19 with commit e047f6fbb975f685d6c9fcef95b3b7787a79b46d
	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 6.19.9 with commit 324b749aa5b2d516ccfab933df9d3f56e7807f5f
	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 7.0 with commit d6d8cd2db236a9dd13dbc2d05843b3445cc964b5

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2026-43453
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/netfilter/nft_set_pipapo.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/1957e793196e7f8557374fd4eda53abcbb42e1c0
	https://git.kernel.org/stable/c/57fb87ca095d5127cd7a27583b8ec43dcf7c9e9e
	https://git.kernel.org/stable/c/60c1d18781e37bfb96290b86510eb01c5fa24d75
	https://git.kernel.org/stable/c/0a55d62cdb628923d8a21724374a70c76ac7d19d
	https://git.kernel.org/stable/c/dfbdac719198778b581bc0dd055df2542edb8c62
	https://git.kernel.org/stable/c/e047f6fbb975f685d6c9fcef95b3b7787a79b46d
	https://git.kernel.org/stable/c/324b749aa5b2d516ccfab933df9d3f56e7807f5f
	https://git.kernel.org/stable/c/d6d8cd2db236a9dd13dbc2d05843b3445cc964b5