CVE-2026-43453

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()<br /> <br /> pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the<br /> to_offset argument on every iteration, including the last one where<br /> i == m-&gt;field_count - 1. This reads one element past the end of the<br /> stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS]<br /> with NFT_PIPAPO_MAX_FIELDS == 16).<br /> <br /> Although pipapo_unmap() returns early when is_last is true without<br /> using the to_offset value, the argument is evaluated at the call site<br /> before the function body executes, making this a genuine out-of-bounds<br /> stack read confirmed by KASAN:<br /> <br /> BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables]<br /> Read of size 4 at addr ffff8000810e71a4<br /> <br /> This frame has 1 object:<br /> [32, 160) &amp;#39;rulemap&amp;#39;<br /> <br /> The buggy address is at offset 164 -- exactly 4 bytes past the end<br /> of the rulemap array.<br /> <br /> Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid<br /> the out-of-bounds read.