In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlinklog: initialize nfgenmsg in NLMSGDONE terminator
When batching multiple NFLOG messages (inst->qlen > 1), _nfulnlsend() appends an NLMSGDONE terminator with sizeof(struct nfgenmsg) payload via nlmsgput(), but never initializes the nfgenmsg bytes. The nlmsgput() helper only zeroes alignment padding after the payload, not the payload itself, so four bytes of stale kernel heap data are leaked to userspace in the NLMSGDONE message body.
Use nfnlmsgput() to build the NLMSGDONE terminator, which initializes the nfgenmsg payload via nfnlfill_hdr(), consistent with how __buildpacketmessage() already constructs NFULNLMSGPACKET headers.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43085.json"
}