Skip to main content

Linux Kernel CVE-2026-43374

| EUVDEUVD-2026-28680 HIGH
Use After Free (CWE-416)
2026-05-08 Linux GHSA-4gvv-jqvc-49j6
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:30 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
HIGH 7.8
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: nexthop: fix percpu use-after-free in remove_nh_grp_entry

When removing a nexthop from a group, remove_nh_grp_entry() publishes the new group via rcu_assign_pointer() then immediately frees the removed entry's percpu stats with free_percpu(). However, the synchronize_net() grace period in the caller remove_nexthop_from_groups() runs after the free. RCU readers that entered before the publish still see the old group and can dereference the freed stats via nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a use-after-free on percpu memory.

Fix by deferring the free_percpu() until after synchronize_net() in the caller. Removed entries are chained via nh_list onto a local deferred free list. After the grace period completes and all RCU readers have finished, the percpu stats are safely freed.

AnalysisAI

Use-after-free in Linux kernel nexthop routing code allows local authenticated attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs when removing a nexthop from a routing group, where percpu statistics memory is freed before the RCU grace period completes, allowing concurrent readers to access freed memory. Vendor patches available for stable kernel branches 6.12.78, 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV). CVSS 7.8 reflects local attack vector requiring authenticated access.

Technical ContextAI

This is a race condition vulnerability (use-after-free) in the Linux kernel's nexthop routing subsystem, specifically in the remove_nh_grp_entry() function within the network stack. The kernel uses Read-Copy-Update (RCU) synchronization to allow lock-free concurrent access to routing data structures. When a nexthop entry is removed from a routing group, the code publishes the updated group structure via rcu_assign_pointer() but immediately calls free_percpu() to deallocate per-CPU statistics before the synchronize_net() barrier executes. RCU readers that entered a read-side critical section before the pointer update can still traverse the old group structure and attempt to increment statistics via nh_grp_entry_stats_inc(), which calls get_cpu_ptr(nhge->stats) on already-freed percpu memory. This violates the fundamental RCU contract that objects must remain valid until all readers complete their critical sections. The fix implements deferred reclamation by chaining removed entries onto a temporary list and only freeing their percpu stats after synchronize_net() guarantees no readers remain. Affected CPE identifiers confirm this impacts the core Linux kernel networking code across multiple stable branches.

RemediationAI

Immediately upgrade to patched kernel versions: 6.12.78 or later for the 6.12.x series, 6.18.19 or later for 6.18.x, 6.19.9 or later for 6.19.x, or 7.0 for mainline deployments. Patches are available via distribution package managers or directly from git.kernel.org stable branches (see commit links ab5ebab9664214ba41a7633cb4e72f128204f924, 9e08ad731862b22a87cc55f752e16d66cdc9e231, b2662e7593e94ae09b1cf7ee5f09160a3612bcb2, abf4feaee6405f1441929c6ebe7a250f2cd170a7). For systems where immediate kernel upgrade requires extended downtime, consider restricting CAP_NET_ADMIN capability to only highly trusted administrative accounts via capability bounding sets or namespace isolation, which prevents unprivileged users from manipulating nexthop routing groups. This workaround reduces attack surface but does not eliminate risk from compromised admin accounts. Note that restricting CAP_NET_ADMIN may break legitimate network management tools or container orchestration systems that rely on dynamic routing configuration. Verify compatibility in test environments before production deployment. Systems without multipath routing or IPv6 may disable CONFIG_IP_ROUTE_MULTIPATH and CONFIG_IPV6 kernel options and rebuild, but this is impractical for production environments requiring these features. No runtime sysctl or module parameter mitigations exist.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43374 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy