Skip to main content

Linux Kernel CVE-2026-43373

| EUVDEUVD-2026-28679 HIGH
Memory Leak (CWE-401)
2026-05-08 Linux GHSA-cc5x-4c4f-8gxf
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:29 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
HIGH 7.5
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: ncsi: fix skb leak in error paths

Early return paths in NCSI RX and AEN handlers fail to release the received skb, resulting in a memory leak.

Specifically, ncsi_aen_handler() returns on invalid AEN packets without consuming the skb. Similarly, ncsi_rcv_rsp() exits early when failing to resolve the NCSI device, response handler, or request, leaving the skb unfreed.

AnalysisAI

Memory exhaustion in Linux kernel NCSI protocol handler allows remote denial of service through resource depletion. The Network Controller Sideband Interface (NCSI) receive and Asynchronous Event Notification (AEN) handlers fail to free socket buffers (skbs) in error paths, enabling network attackers to exhaust kernel memory by sending malformed NCSI packets or triggering device resolution failures. CVSS 7.5 (High severity) reflects unauthenticated network exploitation, though low EPSS score (0.02%, 7th percentile) suggests minimal observed exploitation. Vendor patches available across all active kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).

Technical ContextAI

The vulnerability affects the Linux kernel's NCSI protocol implementation, a management interface standard for sharing network controllers between baseboard management controllers (BMC) and host systems. NCSI is typically used in server environments for out-of-band management. The flaw exists in net/ncsi/ncsi-rsp.c and net/ncsi/ncsi-aen.c where socket buffer (skb) lifecycle management is incorrect. In ncsi_aen_handler(), invalid AEN packets trigger early returns without calling kfree_skb() or consume_skb(). Similarly, ncsi_rcv_rsp() exits prematurely on device resolution, handler lookup, or request validation failures, orphaning the received skb. Each leaked skb represents kernel memory that cannot be reclaimed until system reboot. The affected code path was introduced in commit 138635cc27c9 (Linux 4.8, October 2016), making all mainline and longterm kernels from 4.8 onward vulnerable. CPE strings confirm broad exposure across Linux distributions using kernels in the 4.8-7.0 range. This is a classic resource management error where error handling paths fail to mirror the cleanup performed in success paths.

RemediationAI

Upgrade to patched kernel versions: 5.10.253 or later for 5.10.x LTS branch, 5.15.203+ for 5.15.x, 6.1.167+ for 6.1.x, 6.6.130+ for 6.6.x, 6.12.78+ for 6.12.x, 6.18.19+ for 6.18.x, 6.19.9+ for 6.19.x, or 7.0+ for mainline. Distribution-specific patches: apply security updates from RHEL, Ubuntu, SLES, Debian security repositories that backport the fixes (commits b70c4e5e7119, 553366c27147, 59962588197, 5c3398a54266, 81d6aee32f8f, fef5aa6e3bcf, 87138dde2d69, 9891d7f4f1ed). If immediate patching is not feasible, disable NCSI protocol handling by blacklisting the ncsi kernel module (echo 'blacklist ncsi' >> /etc/modprobe.d/blacklist.conf && update-initramfs -u), though this breaks BMC-based out-of-band management functionality. Alternatively, restrict NCSI network access via firewall rules to trusted management networks only, preventing external attackers from sending malformed packets - effectiveness depends on network segmentation as NCSI operates at layer 2/3 boundary. Monitor kernel memory allocation rates (sar -r, /proc/meminfo) for unusual skb_head_cache growth indicating active exploitation. Compensating controls trade BMC management capabilities for risk reduction; assess operational impact before deployment.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43373 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy