{"id":"CVE-2026-43085","summary":"netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator\n\nWhen batching multiple NFLOG messages (inst-\u003eqlen \u003e 1), __nfulnl_send()\nappends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via\nnlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put()\nhelper only zeroes alignment padding after the payload, not the payload\nitself, so four bytes of stale kernel heap data are leaked to userspace\nin the NLMSG_DONE message body.\n\nUse nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes\nthe nfgenmsg payload via nfnl_fill_hdr(), consistent with how\n__build_packet_message() already constructs NFULNL_MSG_PACKET headers.","modified":"2026-07-15T01:48:51.832582976Z","published":"2026-05-06T07:40:19.915Z","related":["SUSE-SU-2026:22521-1","SUSE-SU-2026:22522-1","SUSE-SU-2026:2799-1","SUSE-SU-2026:2800-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43085.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/15d209bccf9273b4a8b4e579ba0e92d065b6ec8c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1f3083aec8836213da441270cdb1ab612dd82cf4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/296f18e1c3a87c915a92ed27832d5040a22d1072"},{"type":"WEB","url":"https://git.kernel.org/stable/c/368c22aea490f6f50df831b4f9e3623787686c5b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/57cc509d82b46150a11dcecc8b25eaa177eda34d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9e2182865de781c41ab16b7985e9d26dcefea867"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d1399632ba255d2e02c757af5d9f5d9279ce168c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d552bcfca323d175664d7444989b04f55666978a"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43085.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43085"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"29c5d4afba51c71cfeadd3f74f3c42e064483fb0"},{"fixed":"296f18e1c3a87c915a92ed27832d5040a22d1072"},{"fixed":"9e2182865de781c41ab16b7985e9d26dcefea867"},{"fixed":"57cc509d82b46150a11dcecc8b25eaa177eda34d"},{"fixed":"368c22aea490f6f50df831b4f9e3623787686c5b"},{"fixed":"d1399632ba255d2e02c757af5d9f5d9279ce168c"},{"fixed":"d552bcfca323d175664d7444989b04f55666978a"},{"fixed":"15d209bccf9273b4a8b4e579ba0e92d065b6ec8c"},{"fixed":"1f3083aec8836213da441270cdb1ab612dd82cf4"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43085.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.23"},{"fixed":"5.10.258"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.136"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.83"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.24"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.14"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43085.json"}}],"schema_version":"1.7.5"}