Skip to main content

Linux Kernel CVE-2026-43042

| EUVDEUVD-2026-26641 HIGH
Out-of-bounds Read (CWE-125)
2026-05-01 Linux
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:38 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.1 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26641
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mpls: add seqcount to protect the platform_label{,s} pair

The RCU-protected codepaths (mpls_forward, mpls_dump_routes) can have an inconsistent view of platform_labels vs platform_label in case of a concurrent resize (resize_platform_label_table, under platform_mutex). This can lead to OOB accesses.

This patch adds a seqcount, so that we get a consistent snapshot.

Note that mpls_label_ok is also susceptible to this, so the check against RTA_DST in rtm_to_route_config, done outside platform_mutex, is not sufficient. This value gets passed to mpls_label_ok once more in both mpls_route_add and mpls_route_del, so there is no issue, but that additional check must not be removed.

AnalysisAI

Race condition in Linux kernel MPLS subsystem allows local authenticated users to trigger out-of-bounds memory access via concurrent label table resizing. The vulnerability affects RCU-protected codepaths (mpls_forward, mpls_dump_routes) that can obtain inconsistent snapshots of platform_labels array metadata during resize operations, potentially leading to information disclosure or denial of service. Vendor patch available addressing the issue through seqcount-based synchronization. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no active exploitation or public POC identified.

Technical ContextAI

The vulnerability resides in the Linux kernel's MPLS (Multiprotocol Label Switching) implementation, specifically in the platform label table management. MPLS uses platform_labels (array pointer) and platform_label (size metadata) to manage label forwarding tables. RCU (Read-Copy-Update) synchronization allows lock-free reads in mpls_forward and mpls_dump_routes, but concurrent resize_platform_label_table operations protected only by platform_mutex can update the array pointer and size non-atomically from the RCU reader's perspective. This classic TOCTOU (Time-of-Check-Time-of-Use) race allows readers to use stale size metadata with a reallocated array pointer, resulting in out-of-bounds array indexing. The fix implements a seqcount reader-writer synchronization primitive, forcing readers to retry if a concurrent resize occurred during their snapshot acquisition, ensuring atomic visibility of the pointer-size pair.

RemediationAI

Update to patched kernel versions: 6.19.12 or later for the 6.x stable series, or 7.0 or later for mainline kernels. Apply vendor-provided patches from https://git.kernel.org/stable/c/5bb3caf0bbfb56f1a00d2af072ac3d8395a3b9ef (stable tree fix) or https://git.kernel.org/stable/c/629ec78ef8608d955ce217880cdc3e1873af3a15 (alternative stable branch). Organizations unable to immediately patch should consider workarounds with these trade-offs: (1) Disable MPLS kernel modules if not required for routing operations (modprobe -r mpls_router mpls_iptunnel mpls_gso) - this eliminates attack surface but breaks MPLS-dependent routing configurations; (2) Restrict access to MPLS configuration interfaces via filesystem permissions on /proc/sys/net/mpls/* and netlink socket capabilities (CAP_NET_ADMIN) to trusted administrative accounts only - reduces attacker pool but does not prevent exploitation by compromised privileged processes; (3) Deploy kernel runtime integrity monitoring (IMA/EVM) to detect potential exploitation attempts via abnormal MPLS table operations - provides detection but not prevention. Note that disabling MPLS will cause routing failures in environments using label-switched paths for traffic engineering or VPN services.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43042 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy