HIGH Published 2026-05-06

netfilter NFQueue UAF

CVE-2026-43084

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI6.7MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: make hash table per queue Sharing a global hash table among all queues is tempting, but it can cause crash: BUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] [..] nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] nfnetlink_rcv_msg+0x46a/0x930 kmem_cache_alloc_node_noprof+0x11e/0x450 struct nf_queue_entry is freed via kfree, but parallel cpu can still encounter such an nf_queue_entry when walking the list. Alternative fix is to free the nf_queue_entry via kfree_rcu() instead, but as we have to alloc/free for each skb this will cause more mem pressure.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Local attackers capable of obtaining CAP_NET_ADMIN (achievable via unprivileged user namespaces on default kernels) can trigger a slab use-after-free in the netfilter nfnetlink_queue subsystem. A race condition between CPUs on the global packet hash table allows a freed nf_queue_entry to be accessed by a parallel lookup, leading to kernel memory corruption, information disclosure, or system crash on systems using netfilter packet queuing.

Affectednet/netfilter/nfnetlink_queue.c (netfilter)

Vulnerability analysis

The vulnerability stems from a race condition where a globally shared rhashtable is used for all nfnetlink_queue instances across the system. When one CPU frees an nf_queue_entry via kfree(), another CPU may concurrently walk the global hash table in find_dequeue_entry() and encounter the freed object. The fix replaces the global hash table with per-queue hash tables, eliminating the cross-queue race. The attack surface is local: an attacker must open a netlink socket and issue nfqueue verdict commands. CAP_NET_ADMIN is required to manipulate netfilter queues, but this capability is available to unprivileged users inside user namespaces on default kernel configurations.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.83	`22730cb96093`
6.18	6.18.24	`41e3652a178c`
6.19	6.19.14	`9e5ebef91120`