CVE-2026-43027

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_conntrack_helper: pass helper to expect cleanup<br /> <br /> nf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy()<br /> to remove expectations belonging to the helper being unregistered.<br /> However, it passes NULL instead of the helper pointer as the data<br /> argument, so expect_iter_me() never matches any expectation and all<br /> of them survive the cleanup.<br /> <br /> After unregister returns, nfnl_cthelper_del() frees the helper<br /> object immediately. Subsequent expectation dumps or packet-driven<br /> init_conntrack() calls then dereference the freed exp-&gt;helper,<br /> causing a use-after-free.<br /> <br /> Pass the actual helper pointer so expectations referencing it are<br /> properly destroyed before the helper object is freed.<br /> <br /> BUG: KASAN: slab-use-after-free in string+0x38f/0x430<br /> Read of size 1 at addr ffff888003b14d20 by task poc/103<br /> Call Trace:<br /> string+0x38f/0x430<br /> vsnprintf+0x3cc/0x1170<br /> seq_printf+0x17a/0x240<br /> exp_seq_show+0x2e5/0x560<br /> seq_read_iter+0x419/0x1280<br /> proc_reg_read+0x1ac/0x270<br /> vfs_read+0x179/0x930<br /> ksys_read+0xef/0x1c0<br /> Freed by task 103:<br /> The buggy address is located 32 bytes inside of<br /> freed 192-byte region [ffff888003b14d00, ffff888003b14dc0)