CVE-2026-43060

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_ct: drop pending enqueued packets on removal<br /> <br /> Packets sitting in nfqueue might hold a reference to:<br /> <br /> - templates that specify the conntrack zone, because a percpu area is<br /> used and module removal is possible.<br /> - conntrack timeout policies and helper, where object removal leave<br /> a stale reference.<br /> <br /> Since these objects can just go away, drop enqueued packets to avoid<br /> stale reference to them.<br /> <br /> If there is a need for finer grain removal, this logic can be revisited<br /> to make selective packet drop upon dependencies.