Skip to main content

Linux Kernel CVE-2026-43303

| EUVDEUVD-2026-28573 HIGH
Use After Free (CWE-416)
2026-05-08 Linux GHSA-6fh9-96ww-pvwq
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:22 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 14:33 EUVD
CVE Published
May 08, 2026 - 13:11 nvd
HIGH 7.8
CVE Published
May 08, 2026 - 13:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mm/page_alloc: clear page->private in free_pages_prepare()

Several subsystems (slub, shmem, ttm, etc.) use page->private but don't clear it before freeing pages. When these pages are later allocated as high-order pages and split via split_page(), tail pages retain stale page->private values.

This causes a use-after-free in the swap subsystem. The swap code uses page->private to track swap count continuations, assuming freshly allocated pages have page->private == 0. When stale values are present, swap_count_continued() incorrectly assumes the continuation list is valid and iterates over uninitialized page->lru containing LIST_POISON values, causing a crash:

KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107] RIP: 0010:__do_sys_swapoff+0x1151/0x1860

Fix this by clearing page->private in free_pages_prepare(), ensuring all freed pages have clean state regardless of previous use.

AnalysisAI

Use-after-free in Linux kernel swap subsystem allows local authenticated users to achieve high-severity code execution, integrity violations, or denial of service. The vulnerability stems from multiple kernel subsystems (SLUB, shmem, TTM) failing to clear page->private fields before freeing memory, causing stale pointers to persist when pages are reallocated and split. The swap code then dereferences these uninitialized LIST_POISON values during swapoff operations, triggering KASAN-detected wild memory access. Patches available across kernel versions 6.18.16, 6.19.6, and 7.0, with EPSS score of 0.02% indicating low observed exploitation probability despite CVSS 7.8 rating.

Technical ContextAI

This vulnerability affects the Linux kernel memory management subsystem, specifically the page allocator (mm/page_alloc) and its interaction with the swap subsystem. The page structure maintains a 'private' field that various kernel subsystems use for internal bookkeeping-SLUB allocator for object metadata, shmem for shared memory tracking, and TTM (Translation Table Maps) for graphics memory management. When high-order page allocations are split via split_page(), the kernel creates multiple smaller page structures from one large allocation. The vulnerability occurs because subsystems neglected to zero page->private before returning pages to the allocator. During subsequent reallocation and splitting, tail pages inherit stale pointer values. The swap continuation code (swap_count_continued()) expects page->private to be NULL for fresh allocations and uses it to maintain linked lists via page->lru. When stale values containing LIST_POISON markers (debugging sentinels like 0xdead000000000100) are dereferenced, kernel memory corruption occurs. The fix centralizes cleanup in free_pages_prepare(), ensuring all freed pages have sanitized state regardless of their previous subsystem usage.

RemediationAI

Upgrade to patched Linux kernel versions 6.18.16, 6.19.6, 7.0, or later stable releases containing the fix commits. Distribution-specific updates should be obtained through vendor channels: Red Hat via errata, Ubuntu through apt security updates, Debian stable-security, and SUSE maintenance channels. The upstream patches are available at https://git.kernel.org/stable/c/23b82b7a26182ad840ae67d390d7ec9771e8c00f, https://git.kernel.org/stable/c/d757c793853ec5483eb41ec2942c300b8fa720fb, and https://git.kernel.org/stable/c/ac1ea219590c09572ed5992dc233bbf7bb70fef9 for organizations maintaining custom kernel builds. If immediate patching is not feasible, compensating controls include disabling swap functionality via 'swapoff -a' and removing swap entries from /etc/fstab, which eliminates the vulnerable code path but reduces system performance under memory pressure and may cause out-of-memory conditions on memory-constrained systems. Additionally, restricting local user access and implementing namespace isolation (user namespaces, seccomp filters) can limit attack surface on multi-tenant systems, though these do not prevent exploitation by legitimate local users. Kernel live-patching solutions (kpatch, kGraft) may provide interim mitigation where available from vendors.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43303 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy