CVE-2026-43114CRITICAL 9.4EPSS p26.9%
CVE-2026-43114CVE-2026-43114
linux / linux_kernel
Description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry
New test case fails unexpectedly when avx2 matching functions are used.
The test first loads a ranomly generated pipapo set
with 'ipv4 . port' key, i.e. nft -f foo.
This works. Then, it reloads the set after a flush:
(echo flush set t s; cat foo) | nft -f -
This is expected to work, because its the same set after all and it was
already loaded once.
But with avx2, this fails: nft reports a clashing element.
The reported clash is of following form:
We successfully re-inserted
a . b
c . d
Then we try to insert a . d
avx2 finds the already existing a . d, which (due to 'flush set') is marked
as invalid in the new generation. It skips the element and moves to next.
Due to incorrect masking, the skip-step finds the next matching
element *only considering the first field*,
i.e. we return the already reinserted "a . b", eve
Scoring
| CVSS 3.1 | 9.4 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L |
| EPSS | 0.35% probability of exploitation · percentile 26.9% · 2026-06-18T12:00:27Z |
| Published | 2026-05-06 |
| Last modified | 2026-06-01 |
References
- https://git.kernel.org/stable/c/07de44424bb7f17ef9357e8535df96d9e97c40cb
- https://git.kernel.org/stable/c/0abbc43f71d99baadeeba6fa3fe1c80b676f57ed
- https://git.kernel.org/stable/c/3d53f9aafd469ae1ea27051e00f5b96ca1b55d52
- https://git.kernel.org/stable/c/d3c0037ffe1273fa1961e779ff6906234d6cf53c
- https://git.kernel.org/stable/c/fa4f1f52528c73989d820f32bfca06bec5afeece
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.