From: Sashiko Review <sashiko@example.com> This patch series fixes CVE-2026-43025 in the OLK-6.6 branch. The vulnerability allows reading kernel memory bytes off the expectation boundary when validating CTA_EXPECT_CLASS via a different helper than the existing master conntrack helper. * Patch 1: Store netns and zone in expectation (Stable-dep-of prerequisite) * Patch 2: Ignore explicit helper on new expectations (main CVE fix) * Patch 3: Restore helper propagation via expectation (newbugfix) Pablo Neira Ayuso (3): netfilter: nf_conntrack_expect: store netns and zone in expectation netfilter: ctnetlink: ignore explicit helper on new expectations netfilter: nf_conntrack_expect: restore helper propagation via expectation include/net/netfilter/nf_conntrack_expect.h | 23 +++++++- net/netfilter/nf_conntrack_broadcast.c | 7 ++- net/netfilter/nf_conntrack_core.c | 7 ++- net/netfilter/nf_conntrack_expect.c | 10 +++- net/netfilter/nf_conntrack_h323_main.c | 12 ++-- net/netfilter/nf_conntrack_helper.c | 5 ++ net/netfilter/nf_conntrack_netlink.c | 61 ++++++++------------- net/netfilter/nf_conntrack_sip.c | 2 +- 8 files changed, 74 insertions(+), 53 deletions(-) -- 2.43.0