HOMEVULNERABILITIESCVE-2026-43114
CRITICAL

CVE-2026-43114

Published: May 6, 2026· Updated: May 8, 2026

9.4
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:4.8th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry

New test case fails unexpectedly when avx2 matching functions are used.

The test first loads a ranomly generated pipapo set

with 'ipv4 . port' key, i.e. nft -f foo.

This works. Then, it reloads the set after a flush:

(echo flush set t s; cat foo) | nft -f -

This is expected to work, because its the same set after all and it was

already loaded once.

But with avx2, this fails: nft reports a clashing element.

The reported clash is of following form:

We successfully re-inserted

a . b

c . d

Then we try to insert a . d

avx2 finds the already existing a . d, which (due to 'flush set') is marked

as invalid in the new generation. It skips the element and moves to next.

Due to incorrect masking, the skip-step finds the next matching

element *only considering the first field*,

i.e. we return the already reinserted "a . b", even though the

last field is different and the entry should not have been matched.

No such error is reported for the generic c implementation (no avx2) or when

the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.

Bisection points to

7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection")

but that fix merely uncovers this bug.

Before this commit, the wrong element is returned, but erronously

reported as a full, identical duplicate.

The root-cause is too early return in the avx2 match functions.

When we process the last field, we should continue to process data

until the entire input size has been consumed to make sure no stale

bits remain in the map.

NVD Source

Technical Analysis

CVE-2026-43114 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), with a CVSS base score of 9.4.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityLow
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 2 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (5)

Quick Facts

CVE IDCVE-2026-43114
CVSS Score9.4 / 10
SeverityCRITICAL
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedMay 6, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43114 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.