Skip to main content

Linux Kernel CVE-2026-43208

| EUVDEUVD-2026-27771 CRITICAL
Out-of-bounds Write (CWE-787)
2026-05-06 Linux GHSA-6cq8-8cqv-fh6c
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:38 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
9.8 (CRITICAL)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: do not pass flow_id to set_rps_cpu()

Blamed commit made the assumption that the RPS table for each receive queue would have the same size, and that it would not change.

Compute flow_id in set_rps_cpu(), do not assume we can use the value computed by get_rps_cpu(). Otherwise we risk out-of-bound access and/or crashes.

AnalysisAI

Out-of-bounds memory access in Linux kernel RPS (Receive Packet Steering) subsystem allows remote unauthenticated attackers to trigger kernel crashes or potentially achieve code execution with SYSTEM privileges. The flaw stems from incorrect assumptions about RPS hash table sizing across receive queues, introduced in commit 48aa30443e52. Exploitation requires no authentication (CVSS AV:N/PR:N) but EPSS probability remains low at 0.02% (4th percentile), suggesting limited real-world targeting. Patches available for stable kernel branches 6.18.16, 6.19.6, and 7.0.

Technical ContextAI

The vulnerability exists in the Linux kernel's Receive Packet Steering (RPS) mechanism, which distributes incoming network packets across CPU cores for load balancing. The set_rps_cpu() function incorrectly relied on flow_id values calculated by get_rps_cpu() under the false assumption that all receive queue RPS tables have identical sizes and remain static. When RPS tables differ in size across queues or are resized dynamically, the pre-computed flow_id can exceed the bounds of the target table's hash buckets, causing out-of-bounds memory access. The affected code path processes network packets at the kernel level, before user-space filtering, making this exploitable via crafted network traffic. CPE data identifies Linux kernel versions between commit 48aa30443e52 and the patched releases as vulnerable.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.16 or later for 6.18.x series, 6.19.6 or later for 6.19.x series, or 7.0 for mainline kernels. Patches are available from kernel.org Git stable branches at commit IDs 5455a232edea6b946b99449f15ca771a8874a5a6 (6.18 fix), 8a8a9fac9efa6423fd74938b940cb7d731780718 (6.19 fix), and ed712dc0d64dee5f0d05e4d8ca57711f8a9c850c (7.0 fix). Organizations unable to immediately patch should disable RPS on network interfaces as a temporary mitigation by writing zero to /sys/class/net/INTERFACE/queues/rx-*/rps_cpus, though this reduces multi-core packet processing performance and may create bottlenecks on high-throughput systems. Alternatively, restrict network access to trusted sources via firewall rules to reduce attack surface, though this does not eliminate risk from insider threats or compromised trusted networks. Validate patched kernel version after deployment using 'uname -r' and cross-reference with vendor security bulletins.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43208 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy