HIGH
netfilter Flowtable Overflow
CVE-2026-43329
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.9MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: strictly check for maximum number of actions The maximum number of flowtable hardware offload actions in IPv6 is: * ethernet mangling (4 payload actions, 2 for each ethernet address) * SNAT (4 payload actions) * DNAT (4 payload actions) * Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing) for QinQ. * Redirect (1 action) Which makes 17, while the maximum is 16. But act_ct supports for tunnels actions too. Note that payload action operates at 32-bit word level, so mangling an IPv6 address takes 4 payload actions. Update flow_action_entry_next() calls to check for the maximum number of supported actions. While at it, rise the maximum number of actions per flow from 16 to 24 so this works fine with IPv6 setups.
02KernelScan AI Analysis
Risk summary
Local attackers with CAP_NET_ADMIN privileges (obtainable via unprivileged user namespaces on default kernels) can trigger an out-of-bounds write in the netfilter flowtable hardware offload path by installing IPv6 flows that exceed the maximum action limit of 16 entries. The corrupted memory includes adjacent kernel heap objects, leading to memory corruption and system crashes. This affects routers, firewalls, and network appliances using netfilter hardware acceleration, as well as multi-tenant systems where unprivileged users can create user namespaces.
Vulnerability analysis
The vulnerability exists in netfilter's flowtable hardware offload implementation where flow_action_entry_next() writes flow_action_entry structures beyond the bounds of the fixed-size entries[16] array in struct flow_action. IPv6 flows requiring ethernet mangling, SNAT, DNAT, double VLAN, and redirect can require up to 17 actions, and tunnel encapsulation can require even more. The attacker controls the flow parameters (IP addresses, ports, VLANs, tunnel metadata) that populate the out-of-bounds writes. The fix introduces strict bounds checking in flow_action_entry_next() to return NULL when the limit is exceeded, propagates error handling throughout the call chain, and increases the maximum actions per flow to 24.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.203 | ead66c77303f |
| 6.1 | 6.1.168 | fe9018d3e943 |
| 6.12 | 6.12.81 | 57c78bd2e2dd |
| 6.18 | 6.18.22 | 504c9456699d |
| 6.19 | 6.19.12 | 879959a7a2be |
| 6.6 | 6.6.134 | 5382bb03e9c3 |
| mainline | 7.0 | 76522fcdbc3a |