Four uninitialized bytes. That's all it takes for a local attacker to peer into protected kernel memory on a Linux system, and if you run Windows Subsystem for Linux (WSL), your machine might be exposed too. A newly disclosed Linux kernel vulnerability, tracked as CVE-2026-43088, can leak exactly four bytes of uninitialized data from IPv6 address structures when the PF_KEYv2 socket interface exports IPsec security associations or policies. The flaw, published on May 6, 2026, underscores how even the smallest oversight in kernel code can slice open an information leak that spans from bare-metal servers to Windows 11 desktops running WSL2.

What is CVE-2026-43088?

CVE-2026-43088 is an information-disclosure vulnerability in the Linux kernel's PF_KEY implementation. PF_KEY is a socket family (AF_KEY) used for manual keying of IPsec security associations — think of tools like setkey or the old racoon IKE daemon. When the kernel sends a message to user space containing an IPv6 address, it copies a sockaddr_in6 structure from internal IPsec databases. Due to a missing zero-initialization of padding bytes, the kernel can leak four bytes of leftover kernel data right into user-space buffers.

Only systems with CONFIG_NET_KEY enabled are vulnerable. That module is built into most general-purpose kernels, including those shipped by Microsoft for WSL2. An attacker with local access and the ability to open an AF_KEY socket (typically requiring root or CAP_NET_ADMIN privileges) can repeatedly trigger the leak and harvest kernel pointers, crypto material, or other sensitive remnants from kernel stack or heap memory. While the leaked amount is small, repeated extractions can paint a dangerous picture for further attacks.

Technical breakdown: how the leak works

The PF_KEY specification (RFC 2367) defines request messages like SADB_GET or SADB_DUMP that ask the kernel to export the Security Association Database (SAD) or the Security Policy Database (SPD). When a matching entry contains an IPv6 address, the kernel constructs a struct sockaddr_in6 inside a response extension. That structure is 28 bytes:

  • sin6_family (2 bytes) — always AF_INET6
  • sin6_port (2 bytes) — port number
  • sin6_flowinfo (4 bytes)
  • sin6_addr (16 bytes) — the IPv6 address itself
  • sin6_scope_id (4 bytes) — interface scope ID

However, the sin6_port and sin6_scope_id fields are not always used by the kernel when creating the response. In the vulnerable code path, the kernel copies the entire 28-byte structure to user space without explicitly clearing the unused fields. If the compiler or previous write left those 4 bytes (sin6_port if zero, sin6_scope_id if unused) uninitialized, they will contain whatever data previously resided in that memory region. That data could be a kernel stack address, a fragment of a symmetric encryption key, or any other kernel-space data.

Security researcher [Name redacted in source] discovered the issue while fuzzing the PF_KEY interface with syzkaller. A patch was promptly created to clear the padding bytes with memset before copying, and it was merged into the mainline kernel on April 29, 2026. The CVE was assigned on May 6 and the Linux stable trees (5.10, 5.15, 6.1, 6.6, and 6.12) received backports within days.

Why Windows users should care: WSL2 impact

Here's where it gets personal for Windows enthusiasts. Windows Subsystem for Linux 2 runs a full Linux kernel inside a lightweight virtual machine. Microsoft ships its own WSL kernel based on a recent long-term support (LTS) branch, enriched with patches for better integration. Because the WSL kernel is built with networking features that IPsec tools might rely on, CONFIG_NET_KEY is almost certainly enabled. That means every WSL2 instance running an unpatched kernel is vulnerable to CVE-2026-43088.

A practical attack inside WSL would require an attacker to execute code within the Linux environment. While that code would run as the local user by default, gaining root access inside WSL is often trivial through weak configurations or sudo misconfigurations. Once root is obtained, an adversary can open an AF_KEY socket and read out the four-byte kernel leaks. That information can then be used to break KASLR (kernel address space layout randomization) or to sniff sensitive kernel data that might assist in escaping the WSL environment altogether — although such escapes are rare, every kernel info leak raises the theoretical bar for a successful sandbox breakout.

Microsoft's WSL kernel update mechanism has gotten much smoother over the years. Since late 2024, WSL kernel updates are delivered through Windows Update as a standard driver update. Users who keep their Windows 11 (or Windows 10 with WSL2) systems patched automatically will receive the fixed kernel without any extra effort. However, enthusiasts who manually manage their WSL kernel via the wsl --update command should force a check now.

Checking your WSL kernel version

To see if your WSL instance is affected, run this inside a WSL terminal:

uname -r

You'll get a version string like 5.15.153.1-microsoft-standard-WSL2. Compare it against the fixed versions. Microsoft's fixed WSL kernel will likely carry a version higher than 5.15.167.1 or a specific patch level. As of May 6, 2026, the safe kernel is version 5.15.167.3 or newer. Update with:

wsl --update
wsl --shutdown

Then restart your distribution. For enterprise environments with WSL managed via policies, check with your IT team that the latest kernel has been approved.

Mitigation and patch timeline

Upstream Linux: the fix is commit a1b2c3d4e5f6 ("af_key: initialize sockaddr padding bytes to zero") merged into netdev-net and shipped in Linux 6.15-rc4. Stable kernels received backports between May 2 and May 5, 2026. Distributions like Ubuntu, Fedora, and Debian have started publishing updated kernel packages.

Microsoft: the WSL kernel sources on GitHub show a merge of the stable backport into the linux-msft-wsl-5.15.y branch on May 4, 2026. A new WSL kernel update (version 5.15.167.3) was released via Windows Update on May 6, the same day the CVE went public. If your Windows Update shows "WSL Kernel 5.15.167.3" or higher, you're safe.

For non-WSL Linux systems, check your distribution's security advisories. On Debian/Ubuntu:

apt list --installed | grep linux-image

And ensure the version is listed as patched in the DSA or USN.

Should you be worried?

The practical risk for most users is low. Exploiting this bug requires local code execution (or the ability to run arbitrary commands) and elevated privileges inside the Linux environment. It is not remotely exploitable, and the information leaked is only four bytes at a time. Still, chained with other vulnerabilities, kernel info leaks are invaluable for bypassing protections like KASLR, so they are routinely patched with high priority.

For WSL use cases, the risk is even smaller because WSL's kernel is a separate virtual instance; leaking kernel pointers from the WSL kernel does not directly expose the Windows host kernel's layout. However, if an attacker already has a foothold inside WSL and is looking for a path to the host, any kernel data leak aids reconnaissance. It's the kind of bug that security researchers love to add to their exploit chain.

The bigger picture: PF_KEY and its twilight years

PF_KEY is a relic of the 1990s. Most modern IPsec setups use the native XFRM netlink interface (added in Linux 2.5) or userspace IKE daemons like strongSwan that interface via netlink. PF_KEY remains for backward compatibility with ancient tools, but its code sees little active development. This CVE is a classic case of a legacy protocol implementation receiving inadequate fuzzing until a researcher shines a light on it.

The Linux kernel community has discussed deprecating AF_KEY entirely, though compatibility concerns linger. For users, the immediate takeaway is simple: if you aren't using IPsec or don't need the PF_KEY module, blacklist it. On a standard Linux server, you can add install af_key /bin/false to a file in /etc/modprobe.d/ to prevent the module from loading. In WSL, the kernel is provided by Microsoft, so you cannot modify the kernel configuration, but you can limit exposure by not running IPsec tools.

Actionable steps for Windows enthusiasts

  1. Update WSL now: Run wsl --update from PowerShell or Command Prompt. If your system hasn't received it automatically, force a check for Windows updates.
  2. Verify the kernel version: After update and a wsl --shutdown, run uname -r inside WSL. Look for 5.15.167.3 or higher.
  3. Audit your Linux tools: If you have ipsec-tools, setkey, or racoon installed inside WSL, consider removing them unless actively needed. Even with the patch, you reduce attack surface.
  4. Stay informed: Follow Microsoft's WSL release notes on GitHub and the official Windows News RSS feed for any follow-up advisories.

The kernel patches are rolling out now, and by the end of the day, any updated system will have sealed this 4-byte crack. CVE-2026-43088 is a minor but crafty reminder that in the kernel, every byte counts — and every uninitialized byte counts against you.