CVE-2026-43025

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: ctnetlink: ignore explicit helper on new expectations<br /> <br /> Use the existing master conntrack helper, anything else is not really<br /> supported and it just makes validation more complicated, so just ignore<br /> what helper userspace suggests for this expectation.<br /> <br /> This was uncovered when validating CTA_EXPECT_CLASS via different helper<br /> provided by userspace than the existing master conntrack helper:<br /> <br /> BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0<br /> Read of size 4 at addr ffff8880043fe408 by task poc/102<br /> Call Trace:<br /> nf_ct_expect_related_report+0x2479/0x27c0<br /> ctnetlink_create_expect+0x22b/0x3b0<br /> ctnetlink_new_expect+0x4bd/0x5c0<br /> nfnetlink_rcv_msg+0x67a/0x950<br /> netlink_rcv_skb+0x120/0x350<br /> <br /> Allowing to read kernel memory bytes off the expectation boundary.<br /> <br /> CTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace<br /> via netlink dump.