CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43038 – ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
https://notcve.org/view.php?id=CVE-2026-43038
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() Sashiko AI-review observed: In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2 and passed to icmp6_send(), it uses IP6CB(skb2). IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm at offse... • https://git.kernel.org/stable/c/ca15a078bd907df5fc1c009477869c5cbde3b753 •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43037 – ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
https://notcve.org/view.php?id=CVE-2026-43037
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: clear skb2->cb[] in ip4ip6_err() Oskar Kjos reported the following problem. ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value.... • https://git.kernel.org/stable/c/c4d3efafcc933fd2ffd169d7dc4f980393a13796 • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43036 – net: use skb_header_pointer() for TCPv4 GSO frag_off check
https://notcve.org/view.php?id=CVE-2026-43036
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: use skb_header_pointer() for TCPv4 GSO frag_off check Syzbot reported a KMSAN uninit-value warning in gso_features_check() called from netif_skb_features() [1]. gso_features_check() reads iph->frag_off to decide whether to clear mangleid_features. Accessing the IPv4 header via ip_hdr()/inner_ip_hdr() can rely on skb header offsets that are not always safe for direct dereference on packets injected from PF_PACKET paths. Use skb_header_p... • https://git.kernel.org/stable/c/cbc53e08a793b073e79f42ca33f1f3568703540d • CWE-908: Use of Uninitialized Resource •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43035 – net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak
https://notcve.org/view.php?id=CVE-2026-43035
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak When building netlink messages, tc_chain_fill_node() never initializes the tcm_info field of struct tcmsg. Since the allocation is not zeroed, kernel heap memory is leaked to userspace through this 4-byte field. The fix simply zeroes tcm_info alongside the other fields that are already initialized. • https://git.kernel.org/stable/c/32a4f5ecd7381f30ae3bb36dea77a150ba68af2e • CWE-908: Use of Uninitialized Resource •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43033 – crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption
https://notcve.org/view.php?id=CVE-2026-43033
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption When decrypting data that is not in-place (src != dst), there is no need to save the high-order sequence bits in dst as it could simply be re-copied from the source. However, the data to be hashed need to be rearranged accordingly. Thanks, • https://git.kernel.org/stable/c/104880a6b470958ddc30e139c41aa4f6ed3a5234 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43028 – netfilter: x_tables: ensure names are nul-terminated
https://notcve.org/view.php?id=CVE-2026-43028
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: ensure names are nul-terminated Reject names that lack a \0 character before feeding them to functions that expect c-strings. Fixes tag is the most recent commit that needs this change. • https://git.kernel.org/stable/c/c38c4597e4bf3e99860eac98211748e1ecb0e139 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43027 – netfilter: nf_conntrack_helper: pass helper to expect cleanup
https://notcve.org/view.php?id=CVE-2026-43027
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_helper: pass helper to expect cleanup nf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy() to remove expectations belonging to the helper being unregistered. However, it passes NULL instead of the helper pointer as the data argument, so expect_iter_me() never matches any expectation and all of them survive the cleanup. After unregister returns, nfnl_cthelper_del() frees the helper object immediately.... • https://git.kernel.org/stable/c/ac7b848390036dadd4351899d2a23748075916bd • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43026 – netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
https://notcve.org/view.php?id=CVE-2026-43026
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent ctnetlink_alloc_expect() allocates expectations from a non-zeroing slab cache via nf_ct_expect_alloc(). When CTA_EXPECT_NAT is not present in the netlink message, saved_addr and saved_proto are never initialized. Stale data from a previous slab occupant can then be dumped to userspace by ctnetlink_exp_dump_expect(), which checks these fields to decide whether to emit CT... • https://git.kernel.org/stable/c/076a0ca02644657b13e4af363f487ced2942e9cb •
CVSS: 7.3EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43025 – netfilter: ctnetlink: ignore explicit helper on new expectations
https://notcve.org/view.php?id=CVE-2026-43025
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: ignore explicit helper on new expectations Use the existing master conntrack helper, anything else is not really supported and it just makes validation more complicated, so just ignore what helper userspace suggests for this expectation. This was uncovered when validating CTA_EXPECT_CLASS via different helper provided by userspace than the existing master conntrack helper: BUG: KASAN: slab-out-of-bounds in nf_ct_expect... • https://git.kernel.org/stable/c/bd0779370588386e4a67ba5d0b176cfded8e6a53 • CWE-125: Out-of-bounds Read •
CVSS: 5.5EPSS: 0%CPEs: 11EXPL: 0CVE-2026-43024 – netfilter: nf_tables: reject immediate NF_QUEUE verdict
https://notcve.org/view.php?id=CVE-2026-43024
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: reject immediate NF_QUEUE verdict nft_queue is always used from userspace nftables to deliver the NF_QUEUE verdict. Immediately emitting an NF_QUEUE verdict is never used by the userspace nft tools, so reject immediate NF_QUEUE verdicts. The arp family does not provide queue support, but such an immediate verdict is still reachable. Globally reject NF_QUEUE immediate verdicts to address this issue. • https://git.kernel.org/stable/c/55a60251fa50d4e68175e36666b536a602ce4f6c •