Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-43085

Summary
Assigner-Linux
Assigner Org ID-416baaa9-dc9f-4396-8d5f-8c081fb06d67
Published At-06 May, 2026 | 07:40
Updated At-06 May, 2026 | 07:40
Rejected At-
Credits

netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send() appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put() helper only zeroes alignment padding after the payload, not the payload itself, so four bytes of stale kernel heap data are leaked to userspace in the NLMSG_DONE message body. Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes the nfgenmsg payload via nfnl_fill_hdr(), consistent with how __build_packet_message() already constructs NFULNL_MSG_PACKET headers.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Linux
Assigner Org ID:416baaa9-dc9f-4396-8d5f-8c081fb06d67
Published At:06 May, 2026 | 07:40
Updated At:06 May, 2026 | 07:40
Rejected At:
▼CVE Numbering Authority (CNA)
netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send() appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put() helper only zeroes alignment padding after the payload, not the payload itself, so four bytes of stale kernel heap data are leaked to userspace in the NLMSG_DONE message body. Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes the nfgenmsg payload via nfnl_fill_hdr(), consistent with how __build_packet_message() already constructs NFULNL_MSG_PACKET headers.

Affected Products
Vendor
Linux Kernel Organization, IncLinux
Product
Linux
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Program Files
  • net/netfilter/nfnetlink_log.c
Default Status
unaffected
Versions
Affected
  • From 29c5d4afba51c71cfeadd3f74f3c42e064483fb0 before 368c22aea490f6f50df831b4f9e3623787686c5b (git)
  • From 29c5d4afba51c71cfeadd3f74f3c42e064483fb0 before d1399632ba255d2e02c757af5d9f5d9279ce168c (git)
  • From 29c5d4afba51c71cfeadd3f74f3c42e064483fb0 before d552bcfca323d175664d7444989b04f55666978a (git)
  • From 29c5d4afba51c71cfeadd3f74f3c42e064483fb0 before 15d209bccf9273b4a8b4e579ba0e92d065b6ec8c (git)
  • From 29c5d4afba51c71cfeadd3f74f3c42e064483fb0 before 1f3083aec8836213da441270cdb1ab612dd82cf4 (git)
Vendor
Linux Kernel Organization, IncLinux
Product
Linux
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Program Files
  • net/netfilter/nfnetlink_log.c
Default Status
affected
Versions
Affected
  • 2.6.23
Unaffected
  • From 0 before 2.6.23 (semver)
  • From 6.6.136 through 6.6.* (semver)
  • From 6.12.83 through 6.12.* (semver)
  • From 6.18.24 through 6.18.* (semver)
  • From 6.19.14 through 6.19.* (semver)
  • From 7.0 through * (original_commit_for_fix)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://git.kernel.org/stable/c/368c22aea490f6f50df831b4f9e3623787686c5b
N/A
https://git.kernel.org/stable/c/d1399632ba255d2e02c757af5d9f5d9279ce168c
N/A
https://git.kernel.org/stable/c/d552bcfca323d175664d7444989b04f55666978a
N/A
https://git.kernel.org/stable/c/15d209bccf9273b4a8b4e579ba0e92d065b6ec8c
N/A
https://git.kernel.org/stable/c/1f3083aec8836213da441270cdb1ab612dd82cf4
N/A
Hyperlink: https://git.kernel.org/stable/c/368c22aea490f6f50df831b4f9e3623787686c5b
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/d1399632ba255d2e02c757af5d9f5d9279ce168c
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/d552bcfca323d175664d7444989b04f55666978a
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/15d209bccf9273b4a8b4e579ba0e92d065b6ec8c
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/1f3083aec8836213da441270cdb1ab612dd82cf4
Resource: N/A
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:416baaa9-dc9f-4396-8d5f-8c081fb06d67
Published At:06 May, 2026 | 10:16
Updated At:06 May, 2026 | 10:16

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send() appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put() helper only zeroes alignment padding after the payload, not the payload itself, so four bytes of stale kernel heap data are leaked to userspace in the NLMSG_DONE message body. Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes the nfgenmsg payload via nfnl_fill_hdr(), consistent with how __build_packet_message() already constructs NFULNL_MSG_PACKET headers.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
CPE Matches
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://git.kernel.org/stable/c/15d209bccf9273b4a8b4e579ba0e92d065b6ec8c416baaa9-dc9f-4396-8d5f-8c081fb06d67
N/A
https://git.kernel.org/stable/c/1f3083aec8836213da441270cdb1ab612dd82cf4416baaa9-dc9f-4396-8d5f-8c081fb06d67
N/A
https://git.kernel.org/stable/c/368c22aea490f6f50df831b4f9e3623787686c5b416baaa9-dc9f-4396-8d5f-8c081fb06d67
N/A
https://git.kernel.org/stable/c/d1399632ba255d2e02c757af5d9f5d9279ce168c416baaa9-dc9f-4396-8d5f-8c081fb06d67
N/A
https://git.kernel.org/stable/c/d552bcfca323d175664d7444989b04f55666978a416baaa9-dc9f-4396-8d5f-8c081fb06d67
N/A
Hyperlink: https://git.kernel.org/stable/c/15d209bccf9273b4a8b4e579ba0e92d065b6ec8c
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/1f3083aec8836213da441270cdb1ab612dd82cf4
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/368c22aea490f6f50df831b4f9e3623787686c5b
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/d1399632ba255d2e02c757af5d9f5d9279ce168c
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/d552bcfca323d175664d7444989b04f55666978a
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

0Records found
Details not found