Skip to main content

Linux Kernel CVE-2026-43332

| EUVDEUVD-2026-28616 HIGH
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-6j54-46hm-vq8v
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:24 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 15:02 EUVD
CVE Published
May 08, 2026 - 14:16 nvd
HIGH 7.8
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

thermal: core: Fix thermal zone device registration error path

If thermal_zone_device_register_with_trips() fails after registering a thermal zone device, it needs to wait for the tz->removal completion like thermal_zone_device_unregister(), in case user space has managed to take a reference to the thermal zone device's kobject, in which case thermal_release() may not be called by the error path itself and tz may be freed prematurely.

Add the missing wait_for_completion() call to the thermal zone device registration error path.

AnalysisAI

Use-after-free in Linux kernel thermal subsystem allows local authenticated attackers with low privileges to achieve high confidentiality, integrity, and availability impact through race condition during thermal zone device registration failure. The flaw occurs when thermal_zone_device_register_with_trips() fails after registration but before properly cleaning up - if userspace holds a kobject reference, the thermal zone structure can be freed prematurely while still in use. Vendor patches available across stable branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating, suggesting limited real-world attacker interest in this local race condition.

Technical ContextAI

The vulnerability resides in the Linux kernel thermal management subsystem (drivers/thermal/thermal_core.c), specifically in the error handling path of thermal_zone_device_register_with_trips(). The thermal subsystem manages CPU and device temperature monitoring through registered thermal zone devices exposed via kobjects (kernel objects exposed to userspace through sysfs). When registration fails partway through, the error path must synchronize with potential userspace references via wait_for_completion() - the same mechanism used in thermal_zone_device_unregister(). Without this synchronization, a classic use-after-free race emerges: if userspace acquired a kobject reference before the error occurred, the kernel may free the thermal zone structure (tz) while userspace still holds the reference, leading to memory corruption when that reference is eventually released. This represents a time-of-check-to-time-of-use (TOCTOU) synchronization flaw in kernel object lifecycle management. The affected code path requires CONFIG_THERMAL=y kernel configuration and execution of thermal zone registration operations, typically triggered during device initialization or hotplug events.

RemediationAI

Primary remediation is upgrading to patched kernel versions: 6.6.134+ for 6.6.x series, 6.12.81+ for 6.12.x series, 6.18.22+ for 6.18.x series, 6.19.12+ for 6.19.x series, or 7.0+ for mainline. Upstream patches available at https://git.kernel.org/stable/c/604da9c04c218362e1c1457304ebeb9c199d537c and related commits. Organizations unable to immediately patch can implement compensating controls by restricting local access via mandatory access control policies (SELinux targeted policy enforcement, AppArmor confinement) to limit which users/processes can trigger thermal zone registration operations, though this has operational overhead and may impact legitimate thermal management tools. Alternatively, in container/virtualization environments, use separate kernel namespaces or dedicated VM instances for untrusted workloads to prevent local exploitation from reaching host kernel. Note that disabling CONFIG_THERMAL is not viable on production systems as it breaks temperature monitoring and thermal throttling critical for hardware protection. Prioritize patching on multi-tenant systems, shared hosting infrastructure, and container platforms where untrusted users have local shell access. Single-user desktop/laptop systems present minimal risk under normal usage.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43332 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy