{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43084", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-01T14:12:55.983Z", "datePublished": "2026-05-06T07:40:19.253Z", "dateUpdated": "2026-05-06T07:40:19.253Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-06T07:40:19.253Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_queue: make hash table per queue\n\nSharing a global hash table among all queues is tempting, but\nit can cause crash:\n\nBUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]\n[..]\n nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]\n nfnetlink_rcv_msg+0x46a/0x930\n kmem_cache_alloc_node_noprof+0x11e/0x450\n\nstruct nf_queue_entry is freed via kfree, but parallel cpu can still\nencounter such an nf_queue_entry when walking the list.\n\nAlternative fix is to free the nf_queue_entry via kfree_rcu() instead,\nbut as we have to alloc/free for each skb this will cause more mem\npressure."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/netfilter/nf_queue.h", "net/netfilter/nfnetlink_queue.c"], "versions": [{"version": "371de2bef6582a3f58049b3d18e190924af9c9a0", "lessThan": "22730cb96093b5be0609063bbb1923dbecd61252", "status": "affected", "versionType": "git"}, {"version": "870e3e63da8e88daffe9d692a025c711658018a8", "lessThan": "41e3652a178cb0eecd48e0e6e27fbb73a004046a", "status": "affected", "versionType": "git"}, {"version": "70e2e3ce4f6841e12ec1c104fc76c0e707398ec4", "lessThan": "9e5ebef91120d2764aefe557c3a484b6288f341f", "status": "affected", "versionType": "git"}, {"version": "e19079adcd26a25d7d3e586b1837493361fdf8b6", "lessThan": "936206e3f6ff411581e615e930263d6f8b78df9d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/netfilter/nf_queue.h", "net/netfilter/nfnetlink_queue.c"], "versions": [{"version": "6.12.75", "lessThan": "6.12.83", "status": "affected", "versionType": "semver"}, {"version": "6.18.14", "lessThan": "6.18.24", "status": "affected", "versionType": "semver"}, {"version": "6.19.4", "lessThan": "6.19.14", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.75", "versionEndExcluding": "6.12.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.14", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19.4", "versionEndExcluding": "6.19.14"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/22730cb96093b5be0609063bbb1923dbecd61252"}, {"url": "https://git.kernel.org/stable/c/41e3652a178cb0eecd48e0e6e27fbb73a004046a"}, {"url": "https://git.kernel.org/stable/c/9e5ebef91120d2764aefe557c3a484b6288f341f"}, {"url": "https://git.kernel.org/stable/c/936206e3f6ff411581e615e930263d6f8b78df9d"}], "title": "netfilter: nfnetlink_queue: make hash table per queue", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_queue: make hash table per queue\n\nSharing a global hash table among all queues is tempting, but\nit can cause crash:\n\nBUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]\n[..]\n nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]\n nfnetlink_rcv_msg+0x46a/0x930\n kmem_cache_alloc_node_noprof+0x11e/0x450\n\nstruct nf_queue_entry is freed via kfree, but parallel cpu can still\nencounter such an nf_queue_entry when walking the list.\n\nAlternative fix is to free the nf_queue_entry via kfree_rcu() instead,\nbut as we have to alloc/free for each skb this will cause more mem\npressure."}], "id": "CVE-2026-43084", "lastModified": "2026-05-06T13:08:07.970", "metrics": {}, "published": "2026-05-06T10:16:21.610", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/22730cb96093b5be0609063bbb1923dbecd61252"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/41e3652a178cb0eecd48e0e6e27fbb73a004046a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/936206e3f6ff411581e615e930263d6f8b78df9d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9e5ebef91120d2764aefe557c3a484b6288f341f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}