{"id":"CVE-2026-43453","summary":"netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()\n\npipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the\nto_offset argument on every iteration, including the last one where\ni == m-\u003efield_count - 1. This reads one element past the end of the\nstack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS]\nwith NFT_PIPAPO_MAX_FIELDS == 16).\n\nAlthough pipapo_unmap() returns early when is_last is true without\nusing the to_offset value, the argument is evaluated at the call site\nbefore the function body executes, making this a genuine out-of-bounds\nstack read confirmed by KASAN:\n\n  BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables]\n  Read of size 4 at addr ffff8000810e71a4\n\n  This frame has 1 object:\n   [32, 160) 'rulemap'\n\n  The buggy address is at offset 164 -- exactly 4 bytes past the end\n  of the rulemap array.\n\nPass 0 instead of rulemap[i + 1].n on the last iteration to avoid\nthe out-of-bounds read.","modified":"2026-05-28T03:54:47.997532655Z","published":"2026-05-08T14:22:18.087Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43453.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0a55d62cdb628923d8a21724374a70c76ac7d19d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1957e793196e7f8557374fd4eda53abcbb42e1c0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/324b749aa5b2d516ccfab933df9d3f56e7807f5f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/57fb87ca095d5127cd7a27583b8ec43dcf7c9e9e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/60c1d18781e37bfb96290b86510eb01c5fa24d75"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d6d8cd2db236a9dd13dbc2d05843b3445cc964b5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dfbdac719198778b581bc0dd055df2542edb8c62"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e047f6fbb975f685d6c9fcef95b3b7787a79b46d"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43453.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43453"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"3c4287f62044a90e73a561aa05fc46e62da173da"},{"fixed":"1957e793196e7f8557374fd4eda53abcbb42e1c0"},{"fixed":"57fb87ca095d5127cd7a27583b8ec43dcf7c9e9e"},{"fixed":"60c1d18781e37bfb96290b86510eb01c5fa24d75"},{"fixed":"0a55d62cdb628923d8a21724374a70c76ac7d19d"},{"fixed":"dfbdac719198778b581bc0dd055df2542edb8c62"},{"fixed":"e047f6fbb975f685d6c9fcef95b3b7787a79b46d"},{"fixed":"324b749aa5b2d516ccfab933df9d3f56e7807f5f"},{"fixed":"d6d8cd2db236a9dd13dbc2d05843b3445cc964b5"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43453.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.6.0"},{"fixed":"5.10.253"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.203"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.167"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.130"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.78"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.19"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.9"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43453.json"}}],"schema_version":"1.7.5"}