Skip to main content

Linux Kernel CVE-2026-43216

| EUVDEUVD-2026-27776 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-06 Linux GHSA-r977-p9g8-m7hx
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 11, 2026 - 19:37 vuln.today
CVSS changed
May 11, 2026 - 19:37 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: Drop the lock in skb_may_tx_timestamp()

skb_may_tx_timestamp() may acquire sock::sk_callback_lock. The lock must not be taken in IRQ context, only softirq is okay. A few drivers receive the timestamp via a dedicated interrupt and complete the TX timestamp from that handler. This will lead to a deadlock if the lock is already write-locked on the same CPU.

Taking the lock can be avoided. The socket (pointed by the skb) will remain valid until the skb is released. The ->sk_socket and ->file member will be set to NULL once the user closes the socket which may happen before the timestamp arrives. If we happen to observe the pointer while the socket is closing but before the pointer is set to NULL then we may use it because both pointer (and the file's cred member) are RCU freed.

Drop the lock. Use READ_ONCE() to obtain the individual pointer. Add a matching WRITE_ONCE() where the pointer are cleared.

AnalysisAI

Denial of service in the Linux kernel's net subsystem via deadlock in skb_may_tx_timestamp() when socket timestamp completion occurs in interrupt context while sk_callback_lock is write-locked, affecting local attackers with user privileges on systems with network drivers that complete TX timestamps from dedicated interrupt handlers.

Technical ContextAI

The vulnerability exists in the skb_may_tx_timestamp() function within the Linux kernel's networking stack. This function attempts to acquire the sock::sk_callback_lock to validate socket state during socket buffer (skb) TX timestamp operations. The underlying issue is a lock-ordering violation: the sk_callback_lock is designed for softirq-safe contexts, but when network device drivers complete TX timestamp operations from dedicated interrupt handlers (IRQ context), acquiring this lock can deadlock if it is already write-locked on the same CPU. The root cause is CWE-476 (Null Pointer Dereference) related to unsafe pointer access without proper synchronization. The fix addresses this by eliminating the lock acquisition entirely, instead using READ_ONCE() for safe concurrent access to socket pointers (->sk_socket and ->file) that are RCU-protected, with corresponding WRITE_ONCE() barriers at pointer clearance during socket closure.

RemediationAI

Apply the upstream fix by upgrading to patched kernel versions: Linux 6.18.16 or later, Linux 6.19.6 or later, or Linux 7.0 and later. For stable branch users, apply the specific backport commits available at the kernel.org stable repository (references https://git.kernel.org/stable/c/f3e4cceafad27c9363c33622732f86722846ec6f and associated commits). The fix involves removing the sk_callback_lock acquisition in skb_may_tx_timestamp() and implementing READ_ONCE()/WRITE_ONCE() barriers for safe pointer access. No workarounds are available short of kernel upgrade, as the vulnerability is a core synchronization issue in the networking stack. Users unable to immediately patch should monitor for system hangs correlated with network timestamp operations and may consider disabling hardware TX timestamping features in affected network drivers if supported, though this trades functionality for stability. The side effect of the patch is negligible-it actually improves performance by eliminating unnecessary lock contention in TX timestamp paths.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43216 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy