CVE-2026-43085

Source
https://cve.org/CVERecord?id=CVE-2026-43085
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43085.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-43085
Downstream
Related
Published
2026-05-06T07:40:19.915Z
Modified
2026-07-15T01:48:51.832582976Z
Summary
netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlinklog: initialize nfgenmsg in NLMSGDONE terminator

When batching multiple NFLOG messages (inst->qlen > 1), _nfulnlsend() appends an NLMSGDONE terminator with sizeof(struct nfgenmsg) payload via nlmsgput(), but never initializes the nfgenmsg bytes. The nlmsgput() helper only zeroes alignment padding after the payload, not the payload itself, so four bytes of stale kernel heap data are leaked to userspace in the NLMSGDONE message body.

Use nfnlmsgput() to build the NLMSGDONE terminator, which initializes the nfgenmsg payload via nfnlfill_hdr(), consistent with how __buildpacketmessage() already constructs NFULNLMSGPACKET headers.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43085.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
29c5d4afba51c71cfeadd3f74f3c42e064483fb0
Fixed
296f18e1c3a87c915a92ed27832d5040a22d1072
Fixed
9e2182865de781c41ab16b7985e9d26dcefea867
Fixed
57cc509d82b46150a11dcecc8b25eaa177eda34d
Fixed
368c22aea490f6f50df831b4f9e3623787686c5b
Fixed
d1399632ba255d2e02c757af5d9f5d9279ce168c
Fixed
d552bcfca323d175664d7444989b04f55666978a
Fixed
15d209bccf9273b4a8b4e579ba0e92d065b6ec8c
Fixed
1f3083aec8836213da441270cdb1ab612dd82cf4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43085.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.23
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.136
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.83
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.24
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.14

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43085.json"