Skip to main content

Linux Kernel CVE-2026-43039

| EUVDEUVD-2026-26638 CRITICAL
2026-05-01 Linux
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:37 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
9.8 (CRITICAL)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26638
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:15 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: ti: icssg-prueth: fix missing data copy and wrong recycle in ZC RX dispatch

emac_dispatch_skb_zc() allocates a new skb via napi_alloc_skb() but never copies the packet data from the XDP buffer into it. The skb is passed up the stack containing uninitialized heap memory instead of the actual received packet, leaking kernel heap contents to userspace.

Copy the received packet data from the XDP buffer into the skb using skb_copy_to_linear_data().

Additionally, remove the skb_mark_for_recycle() call since the skb is backed by the NAPI page frag allocator, not page_pool. Marking a non-page_pool skb for recycle causes the free path to return pages to a page_pool that does not own them, corrupting page_pool state.

The non-ZC path (emac_rx_packet) does not have these issues because it uses napi_build_skb() to wrap the existing page_pool page directly, requiring no copy, and correctly marks for recycle since the page comes from page_pool_dev_alloc_pages().

AnalysisAI

Remote code execution and information disclosure in Linux Kernel's TI ICSSG PRU Ethernet driver allows unauthenticated network attackers to leak kernel heap memory to userspace and potentially corrupt page_pool state. The zero-copy RX dispatch path fails to copy received packet data into newly allocated skbs, instead forwarding uninitialized heap memory up the network stack. Vendor patches available for kernel 6.19.12 and 7.0. EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity despite critical CVSS 9.8 rating and network attack vector.

Technical ContextAI

This vulnerability affects the TI ICSSG PRU Ethernet driver (icssg-prueth) in the Linux kernel networking subsystem. The driver implements both zero-copy (ZC) and traditional RX paths using different memory allocation strategies. The ZC path's emac_dispatch_skb_zc() function uses napi_alloc_skb() which allocates from NAPI page fragment allocator, while the working non-ZC path uses napi_build_skb() with page_pool_dev_alloc_pages(). XDP (eXpress Data Path) buffer handling requires explicit data copying when transitioning between zero-copy and traditional skb representations. The page_pool infrastructure manages DMA-mapped page recycling for high-performance networking, and incorrectly marking non-page_pool pages for recycle breaks this state machine by returning foreign pages to the allocator.

RemediationAI

Upgrade to Linux kernel 6.19.12 or 7.0 stable which include upstream fixes commit 5597dd284ff8 (stable) and a968438d4fc1 (mainline). Apply vendor patches from https://git.kernel.org/stable/c/a968438d4fc17ee1dcdc3cfa490dcb5e7709cf76 and https://git.kernel.org/stable/c/5597dd284ff8c556c0b00f6a34473677426e3f81. For systems unable to immediately patch, disable the TI ICSSG PRU Ethernet driver by blacklisting the icssg-prueth kernel module (add 'blacklist icssg_prueth' to /etc/modprobe.d/blacklist.conf and regenerate initramfs) - this will disable network connectivity on affected interfaces but prevents exploitation. Alternatively, if the hardware supports standard Ethernet controllers in addition to PRU-ICSS, migrate network traffic to non-PRU interfaces. Network-level mitigations are ineffective since exploitation occurs in kernel packet processing before firewall evaluation. Disabling the driver or migrating interfaces has no side effects for systems not using TI PRU Ethernet hardware but will cause network outage on systems actively using these interfaces.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43039 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy