CVE-2026-43060

Summary

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_ct: drop pending enqueued packets on removal

Packets sitting in nfqueue might hold a reference to:

  • templates that specify the conntrack zone, because a percpu area is used and module removal is possible.
  • conntrack timeout policies and helper, where object removal leave a stale reference.

Since these objects can just go away, drop enqueued packets to avoid stale reference to them.

If there is a need for finer grain removal, this logic can be revisited to make selective packet drop upon dependencies.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux7e0b2b57f01d183e1c84114f1f2287737358d748 < 8a64e76933672b08bd85b63086f33432070fd729affected
LinuxLinux7e0b2b57f01d183e1c84114f1f2287737358d748 < 3da0b946835f33bf36b459ead764c61a761e689baffected
LinuxLinux7e0b2b57f01d183e1c84114f1f2287737358d748 < ab50302190b303f847c4eba0e31a01a56dec596eaffected
LinuxLinux7e0b2b57f01d183e1c84114f1f2287737358d748 < e68a8db3a0546482b34e9ca5ca886bcf73eb37bbaffected
LinuxLinux7e0b2b57f01d183e1c84114f1f2287737358d748 < 6802ff8beceb9c4254318e81c1395720438f2cc2affected
LinuxLinux7e0b2b57f01d183e1c84114f1f2287737358d748 < f29a055e4f593e577805b41228b142b58f48df1baffected
LinuxLinux7e0b2b57f01d183e1c84114f1f2287737358d748 < 77da55dee67720e2b8d2db49a53334e6c017ee7baffected
LinuxLinux7e0b2b57f01d183e1c84114f1f2287737358d748 < 36eae0956f659e48d5366d9b083d9417f3263ddcaffected
LinuxLinux4.19affected
LinuxLinux0 < 4.19unaffected
LinuxLinux5.10.253 <= 5.10.*unaffected
LinuxLinux5.15.203 <= 5.15.*unaffected
LinuxLinux6.1.167 <= 6.1.*unaffected
LinuxLinux6.6.130 <= 6.6.*unaffected
LinuxLinux6.12.78 <= 6.12.*unaffected
LinuxLinux6.18.20 <= 6.18.*unaffected
LinuxLinux6.19.10 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References