CVE-2026-43329

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the netfilter flowtable component where the system fails to strictly check for the maximum number of supported actions. In IPv6 setups, the required number of hardware offload actions—including ethernet mangling, SNAT, DNAT, Double VLAN, and Redirect—can reach 17, exceeding the previous limit of 16. This is further complicated by act ct support for tunnel actions and the fact that payload actions operate at a 32-bit word level, requiring four actions to mangle an IPv6 address.

Recommendations Update the Linux kernel to a version where the flow action entry next() function is updated to strictly check for the maximum number of supported actions and where the maximum number of actions per flow has been increased from 16 to 24.