HIGH
netfilter NameValidation Overflow
CVE-2026-43028
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI6.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: ensure names are nul-terminated Reject names that lack a \0 character before feeding them to functions that expect c-strings. Fixes tag is the most recent commit that needs this change.
02KernelScan AI Analysis
Risk summary
Local attackers with CAP_NET_ADMIN can trigger out-of-bounds reads in netfilter by providing non-null-terminated strings to xt_cgroup and xt_rateest modules during rule installation. This can lead to kernel memory information disclosure and system crashes on systems using netfilter rules with cgroup or rate estimation matching.
Vulnerability analysis
The vulnerability occurs because xt_cgroup and xt_rateest modules accept user-provided strings (cgroup paths and rate estimator names) without validating null-termination before passing them to functions expecting C-strings like cgroup_get_from_path() and xt_rateest_lookup(). When these functions perform string operations on non-null-terminated buffers, they can read beyond allocated memory boundaries, causing out-of-bounds reads. The fix adds strnlen() validation to ensure strings are properly null-terminated within their allocated buffer sizes before processing. This requires CAP_NET_ADMIN privileges to configure netfilter rules, which is obtainable via user namespaces on default kernels.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | bcac50ea0a29 |
| 5.15 | 5.15.203 | ea01c1b219f5 |
| 6.1 | 6.1.168 | aa6cd4a88633 |
| 6.12 | 6.12.81 | 673bbd36cba2 |
| 6.18 | 6.18.22 | f419bdc20589 |
| 6.19 | 6.19.12 | 731246081728 |
| 6.6 | 6.6.134 | c2d4a3abb15c |
| mainline | 7.0 | a958a4f90ddd |