Linux Kernel Vulnerability in PF_KEY Export Paths Affecting Multiple Network Features
CVE-2026-43088

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-43088?

In the Linux kernel, a vulnerability exists in PF_KEY export paths where the sockaddr payload for IPv6 addresses does not fully initialize all necessary bytes. This flaw results from pfkey_sockaddr_fill(), which allocates 32 bytes on the wire but only zeros the initial 28 bytes, leaving the final 4 bytes uninitialized. This issue specifically affects certain PF_KEY message types, necessitating a fix to ensure better alignment and security in the handling of sockaddr payloads.

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 2e74f974359b5382ecbe8536abbb5b837eb6c724

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 426c355742f02cf743b347d9d7dbdc1bfbfa31ef

Linux 2.6.12

References

https://git.kernel.org/stable/c/2e74f974359b5382ecbe8536a...

https://git.kernel.org/stable/c/426c355742f02cf743b347d9d...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-43088 Data

JSON