CVE-2026-43453
Published: May 8, 2026· Updated: May 12, 2026
Official Description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the
to_offset argument on every iteration, including the last one where
i == m->field_count - 1. This reads one element past the end of the
stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS]
with NFT_PIPAPO_MAX_FIELDS == 16).
Although pipapo_unmap() returns early when is_last is true without
using the to_offset value, the argument is evaluated at the call site
before the function body executes, making this a genuine out-of-bounds
stack read confirmed by KASAN:
BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables]
Read of size 4 at addr ffff8000810e71a4
This frame has 1 object:
[32, 160) 'rulemap'
The buggy address is at offset 164 -- exactly 4 bytes past the end
of the rulemap array.
Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid
the out-of-bounds read.
Technical Analysis
CVE-2026-43453 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
Affected Vendors & Products
Exploit & PoC Resources
All References (8)
Quick Facts
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-43453 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts