CVE-2026-53184

The CVE describes a Linux kernel bug on the UDP receive path when a socket is in a sockmap. skb->dev is repurposed as dev_scratch and is not cleared before running the attached SK_SKB verdict program; if the verdict calls socket-lookup helpers (bpf_sk_lookup_tcp/udp, bpf_skc_lookup_tcp), skb-&...

EUVD-2026-39275

In the Linux kernel, the following vulnerability has been resolved: udp: clear skb-dev before running a sockmap verdict On the UDP receive path skb-dev is repurposed as devscratch the truesize/state cache set by udpsetdevscratch, through the union struct netdevice dev; unsigned long devscratch; i...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, Linux, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: bpf: fix recursive lock when verdict program return SKPASS When the streamverdict program returns SKPASS, it places the received skb into its own receive queue. However, a recursive lock occurs eventually, leading to an operating...

PT-2026-48478

Affected: @hulumi/drift 1.4.0 — Fixed in: 1.4.0 — Severity: Medium — CWE-755 Improper Handling of Exceptional Conditions Summary @hulumi/drift runs four adapters that each ask a different question about whether a resource has drifted Pulumi-state diff, provider-version change, CloudTrail event,...

kernel: bpf: fix ktls panic with sockmap

In the Linux kernel, the following vulnerability has been resolved: bpf: fix ktls panic with sockmap 2172.936997 ------------ cut here ------------ 2172.936999 kernel BUG at lib/ioviter.c:629! ...... 2172.944996 PKRU: 55555554 2172.945155 Call Trace: 2172.945299 2172.945428 ? die+0x36/0x90...

SUSE CVE-2026-43451

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlinkqueue: fix entry leak in bridge verdict error path nfqnlrecvverdict calls finddequeueentry to remove the queue entry from the queue data structures, taking ownership of the entry. For PFBRIDGE packets, it then...

EUVD-2026-28757

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlinkqueue: fix entry leak in bridge verdict error path nfqnlrecvverdict calls finddequeueentry to remove the queue entry from the queue data structures, taking ownership of the entry. For PFBRIDGE packets, it then...

CVE-2026-43451

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlinkqueue: fix entry leak in bridge verdict error path nfqnlrecvverdict calls finddequeueentry to remove the queue entry from the queue data structures, taking ownership of the entry. For PFBRIDGE packets, it then...

UBUNTU-CVE-2026-43451

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlinkqueue: fix entry leak in bridge verdict error path nfqnlrecvverdict calls finddequeueentry to remove the queue entry from the queue data structures, taking ownership of the entry. For PFBRIDGE packets, it then...

CVE-2026-43451

Summary of CVE-2026-43451 (Linux kernel): The nfnetlink_queue entry leak occurs in the bridge verdict error path. When nfqnl_recv_verdict() dequeues an entry for PF_BRIDGE packets and nfqa_parse_bridge() returns an error (for example VLAN TCI missing when VLAN is present), the code returns withou...

CVE-2026-43451

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlinkqueue: fix entry leak in bridge verdict error path nfqnlrecvverdict calls finddequeueentry to remove the queue entry from the queue data structures, taking ownership of the entry. For PFBRIDGE packets, it then...

CVE-2026-43451

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlinkqueue: fix entry leak in bridge verdict error path nfqnlrecvverdict calls finddequeueentry to remove the queue entry from the queue data structures, taking ownership of the entry. For PFBRIDGE packets, it then...

CVE-2026-43451 netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlinkqueue: fix entry leak in bridge verdict error path nfqnlrecvverdict calls finddequeueentry to remove the queue entry from the queue data structures, taking ownership of the entry. For PFBRIDGE packets, it then...

PT-2026-39112

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A memory leak exists in the netfilter nfnetlink queue component. The nfqnl recv verdict function calls find dequeue entry to remove a queue entry, taking ownership of it. For PF BRIDGE...

Linux Distros Unpatched Vulnerability : CVE-2026-43451

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - netfilter: nfnetlinkqueue: fix entry leak in bridge verdict error path nfqnlrecvverdict calls finddequeueentry to remove the queue entry from the queue data...

SUSE CVE-2026-43016

In the Linux kernel, the following vulnerability has been resolved: bpf: sockmap: Fix use-after-free of sk-sksocket in skpsockverdictdataready. syzbot reported use-after-free of AFUNIX socket's sk-sksocket in skpsockverdictdataready. 0 In unixstreamsendmsg, the peer socket's -skdataready is calle...

SUSE CVE-2026-43084

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlinkqueue: make hash table per queue Sharing a global hash table among all queues is tempting, but it can cause crash: BUG: KASAN: slab-use-after-free in nfqnlrecvverdict+0x11ac/0x15e0 nfnetlinkqueue...

AgentTrust: Runtime Safety Evaluation and Interception for AI Agent Tool Use

Modern AI agents execute real-world side effects through tool calls such as file operations, shell commands, HTTP requests, and database queries. A single unsafe action, including accidental deletion, credential exposure, or data exfiltration, can cause irreversible harm. Existing defenses are...

SUSE CVE-2026-43024

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: reject immediate NFQUEUE verdict nftqueue is always used from userspace nftables to deliver the NFQUEUE verdict. Immediately emitting an NFQUEUE verdict is never used by the userspace nft tools, so reject...

Astra Linux – Vulnerability found in Linux 5.15, Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fixed repeated calls to sockput when msg has moredata In the tcpbpfsendverdict redirection, the eval variable is assigned to SKREDIRECT after the applybytes data is sent. If msg has moredata, sockput will be called...