Skip to main content

Linux Kernel CVE-2026-43035

| EUVDEUVD-2026-26634 MEDIUM
Use of Uninitialized Resource (CWE-908)
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 08, 2026 - 18:52 vuln.today
CVSS changed
May 08, 2026 - 18:52 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:33 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26634
CVE Published
May 01, 2026 - 14:15 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:15 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak

When building netlink messages, tc_chain_fill_node() never initializes the tcm_info field of struct tcmsg. Since the allocation is not zeroed, kernel heap memory is leaked to userspace through this 4-byte field.

The fix simply zeroes tcm_info alongside the other fields that are already initialized.

AnalysisAI

Information disclosure in the Linux kernel's traffic control (tc) scheduler allows local users with low privileges to read uninitialized kernel heap memory through the tc_chain_fill_node() function, which fails to zero-initialize the tcm_info field in netlink messages before transmission to userspace. The vulnerability affects multiple stable kernel series and has a vendor-released patch available across all affected versions.

Technical ContextAI

The Linux kernel's network traffic control (tc) subsystem uses netlink sockets to communicate configuration and statistics to userspace. The tc_chain_fill_node() function constructs netlink messages containing struct tcmsg (traffic control message) structures. The vulnerability exists in the classifier API (cls_api) where the tcm_info field, a 4-byte field within tcmsg, was never explicitly initialized to zero before the structure is sent to userspace via netlink. Since kernel memory allocations may contain residual data from previous uses, this uninitialized field leaks sensitive heap memory. CWE-908 (Memory Initialization with Hard-Coded Network Resource Configuration Data) captures the root cause of improper memory initialization. The fix initializes tcm_info to zero alongside other tcmsg fields, preventing information leakage. This is a local information disclosure vulnerability requiring local system access and low-privilege credentials to trigger via tc configuration netlink commands.

RemediationAI

Vendor-released patches are available for all affected kernel versions: upgrade to Linux 5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0, or later stable versions depending on your kernel series. Apply the fix commit directly to earlier stable branches if needed; the fix is minimal (zeroing tcm_info field in tc_chain_fill_node() function) and available at kernel.org stable commit references: 903c3405cfcc7700260e456ab66a5867586c9e69 (6.12), 71a3eda7e850ae844cb8993065f4e410c11a46ce (5.10), 4ae5d23f51fb91d7d1140c6f1ba77ab0756054c3 (6.1), e35f5195cd44ff4053fbc5d71ea97681728a0099 (6.6), d6db08484c6cb3d4ad696246f9d288eceba2a078 (5.15), 906997ea3766c24fbbf9cc4bf17c047315bbd138 (6.12), 1091b3c174441a52fdbb92e2fe00338f9371a91c (6.18), and e6e3eb5ee89ac4c163d46429391c889a1bb5e404. If immediate patching is delayed, no practical workaround exists short of disabling unprivileged access to tc configuration (via sudo restrictions or network namespace isolation), though this may impact legitimate traffic control administrators.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43035 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy