HIGH Published 2026-05-05

netfilter NFQueue UAF

CVE-2026-43060

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI6.6MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: drop pending enqueued packets on removal Packets sitting in nfqueue might hold a reference to: - templates that specify the conntrack zone, because a percpu area is used and module removal is possible. - conntrack timeout policies and helper, where object removal leave a stale reference. Since these objects can just go away, drop enqueued packets to avoid stale reference to them. If there is a need for finer grain removal, this logic can be revisited to make selective packet drop upon dependencies.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Local attackers with CAP_NET_ADMIN privileges can trigger use-after-free conditions by removing netfilter conntrack objects while packets remain queued in nfqueue. This leads to potential information disclosure, memory corruption, and denial of service on systems using netfilter connection tracking with user-space packet processing.

Affectednet/netfilter/nft_ct.c (netfilter)

Vulnerability analysis

The vulnerability occurs when netfilter conntrack objects (timeout policies, helpers, or zone templates) are removed while packets in nfqueue still hold references to them. The original code failed to drop queued packets during object destruction, leaving stale pointers that cause use-after-free when the queued packets are later processed. This can result in kernel crashes, limited information disclosure from freed slab memory, or memory corruption depending on heap state. The fix adds nf_queue_nf_hook_drop() calls in the destruction paths for ct timeout objects, helper objects, and zone templates to ensure all queued packets are dropped before the referenced objects are freed. This requires local access with network administration privileges to manipulate netfilter rules and objects.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.253	`8a64e7693367`
5.15	5.15.203	`3da0b946835f`
6.1	6.1.167	`ab50302190b3`
6.12	6.12.78	`6802ff8beceb`
6.18	6.18.20	`f29a055e4f59`
6.19	6.19.10	`77da55dee677`
6.6	6.6.130	`e68a8db3a054`
mainline	7.0	`36eae0956f65`