Skip to main content

Linux Kernel CVE-2026-43198

| EUVDEUVD-2026-27757 CRITICAL
Race Condition (CWE-362)
2026-05-06 Linux GHSA-rhcj-6wxj-r34p
9.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:36 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
9.8 (CRITICAL)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

tcp: fix potential race in tcp_v6_syn_recv_sock()

Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock() is done too late.

After tcp_v4_syn_recv_sock(), the child socket is already visible from TCP ehash table and other cpus might use it.

Since newinet->pinet6 is still pointing to the listener ipv6_pinfo bad things can happen as syzbot found.

Move the problematic code in tcp_v6_mapped_child_init() and call this new helper from tcp_v4_syn_recv_sock() before the ehash insertion.

This allows the removal of one tcp_sync_mss(), since tcp_v4_syn_recv_sock() will call it with the correct context.

AnalysisAI

Race condition in Linux kernel TCP/IPv6 stack allows remote unauthenticated attackers to trigger use-after-free conditions during IPv6-mapped IPv4 socket creation, potentially achieving arbitrary code execution or denial of service. The flaw occurs in tcp_v6_syn_recv_sock() where child socket visibility in the TCP hash table races with incomplete IPv6 structure initialization, causing other CPUs to access invalid memory via newinet->pinet6 pointing to listener data. Vendor patches available for kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability despite critical CVSS 9.8 rating, suggesting this requires specific IPv6-mapped IPv4 configuration and precise timing to exploit.

Technical ContextAI

This vulnerability affects the Linux kernel's TCP implementation, specifically the IPv6 dual-stack handling code path. When processing SYN packets on IPv6 sockets that accept IPv4 connections (IPv4-mapped IPv6 addresses), the tcp_v6_syn_recv_sock() function calls tcp_v4_syn_recv_sock() to create a child socket. The race condition occurs because the child socket is inserted into the TCP ehash (established hash table) before its IPv6-specific structures are properly initialized. During this window, the newinet->pinet6 pointer still references the parent listener's ipv6_pinfo structure rather than the child's own structure. If another CPU accesses this socket through the ehash table during the race window, it will dereference invalid memory, leading to use-after-free conditions. The fix moves the problematic initialization code into a new helper function tcp_v6_mapped_child_init() that executes before ehash insertion, closing the race window. This is a memory safety issue in kernel networking code, affecting systems with dual-stack TCP/IPv6 enabled. While no CWE is assigned, this represents a classic time-of-check-time-of-use (TOCTOU) race condition combined with memory corruption potential.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.16, 6.19.6, 7.0, or later releases incorporating fix commits fe89b2f05b854847784f91127319172945c1fadd, 7178e2a8027423b2af17ab95df73a749a5b72e5b, or 858d2a4f67ff69e645a43487ef7ea7f28f06deae. Distribution-specific kernel updates should be obtained through normal vendor channels (apt, yum, zypper). Patch details and source code fixes available at https://git.kernel.org/stable/. For systems unable to immediately patch, specific compensating controls include disabling IPv6 dual-stack support via sysctl net.ipv6.bindv6only=1, which forces separate IPv4 and IPv6 sockets and prevents the vulnerable code path from executing (trade-off: breaks applications expecting IPv4-mapped IPv6 address handling, may impact dual-stack service availability). Alternatively, restrict IPv6 network access via firewall rules to trusted sources only, reducing attack surface (trade-off: limits legitimate IPv6 connectivity, does not prevent exploitation from allowed networks). Network segmentation to isolate vulnerable systems from untrusted networks reduces exposure window during patching. Note that disabling IPv6 entirely via kernel boot parameters prevents exploitation but breaks IPv6-dependent services and is not recommended for production dual-stack environments. Kernel live patching solutions (kpatch, kGraft, Livepatch) may allow applying fixes without reboot on supported distributions.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43198 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy