Skip to main content

Linux Kernel CVE-2026-43295

| EUVDEUVD-2026-28565 MEDIUM
2026-05-08 Linux GHSA-48jm-q77p-w8gv
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 14, 2026 - 22:06 vuln.today
CVSS changed
May 14, 2026 - 19:52 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 14:02 EUVD
CVE Published
May 08, 2026 - 13:11 nvd
MEDIUM 5.5
CVE Published
May 08, 2026 - 13:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

rapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net()

When idtab allocation fails, net is not registered with rio_add_net() yet, so kfree(net) is sufficient to release the memory. Set mport->net to NULL to avoid dangling pointer.

AnalysisAI

Denial of service in Linux kernel RapidIO subsystem occurs when idtab allocation fails during rio_scan_alloc_net(), causing the function to incorrectly invoke rio_free_net() instead of kfree() on unregistered memory, leaving a dangling pointer in mport->net that can be dereferenced later to trigger a crash. Authenticated local attackers with low privilege can trigger this condition on systems with RapidIO support enabled, resulting in kernel panic and service unavailability. EPSS probability is low (0.02%) despite moderate CVSS, indicating limited real-world exploitability; no public exploit code or active KEV exploitation confirmed.

Technical ContextAI

The RapidIO subsystem in the Linux kernel provides rapid I/O interconnect protocol support. The vulnerability exists in rio_scan_alloc_net(), which allocates a rio_net structure and initializes its idtab (identifier table). When the idtab kzalloc() call fails partway through initialization, the function erroneously calls rio_free_net() - a cleanup function designed for fully registered network structures that have been added via rio_add_net(). For unregistered structures still under initialization, only direct kfree() of the net pointer is appropriate. The fix ensures kfree(net) is used and sets mport->net to NULL to eliminate dangling pointer dereference. This is a use-after-free prevention and correct resource teardown issue classified under memory management error handling.

RemediationAI

Apply vendor-released kernel patch from the stable Linux tree corresponding to your kernel version: upgrade to Linux 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, or 7.0 (or later), as appropriate for your branch. The fix is available at kernel commits referenced in https://git.kernel.org/stable/. For distributions: update the kernel package through your package manager (apt update && apt upgrade linux-image-*, yum update kernel, etc.). If immediate patching is not feasible, mitigation via configuration is possible on systems where RapidIO hardware is not in use: disable the RapidIO subsystem at compile time (CONFIG_RAPIDIO=n) or unbind the rio-scan driver at runtime. Note that this eliminates RapidIO functionality entirely, suitable only for environments without RapidIO interconnect hardware.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43295 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy