CVE-2026-43450

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()<br /> <br /> nfnl_cthelper_dump_table() has a &amp;#39;goto restart&amp;#39; that jumps to a label<br /> inside the for loop body. When the "last" helper saved in cb-&gt;args[1]<br /> is deleted between dump rounds, every entry fails the (cur != last)<br /> check, so cb-&gt;args[1] is never cleared. The for loop finishes with<br /> cb-&gt;args[0] == nf_ct_helper_hsize, and the &amp;#39;goto restart&amp;#39; jumps back<br /> into the loop body bypassing the bounds check, causing an 8-byte<br /> out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize].<br /> <br /> The &amp;#39;goto restart&amp;#39; block was meant to re-traverse the current bucket<br /> when "last" is no longer found, but it was placed after the for loop<br /> instead of inside it. Move the block into the for loop body so that<br /> the restart only occurs while cb-&gt;args[0] is still within bounds.<br /> <br /> BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0<br /> Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131<br /> Call Trace:<br /> nfnl_cthelper_dump_table+0x9f/0x1b0<br /> netlink_dump+0x333/0x880<br /> netlink_recvmsg+0x3e2/0x4b0<br /> sock_recvmsg+0xde/0xf0<br /> __sys_recvfrom+0x150/0x200<br /> __x64_sys_recvfrom+0x76/0x90<br /> do_syscall_64+0xc3/0x6e0<br /> <br /> Allocated by task 1:<br /> __kvmalloc_node_noprof+0x21b/0x700<br /> nf_ct_alloc_hashtable+0x65/0xd0<br /> nf_conntrack_helper_init+0x21/0x60<br /> nf_conntrack_init_start+0x18d/0x300<br /> nf_conntrack_standalone_init+0x12/0xc0