Skip to main content

Linux Kernel CVE-2026-43411

| EUVDEUVD-2026-28717 MEDIUM
Divide By Zero (CWE-369)
2026-05-08 Linux GHSA-5396-3j5p-9gg2
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 21, 2026 - 20:32 vuln.today
CVSS changed
May 21, 2026 - 18:22 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

tipc: fix divide-by-zero in tipc_sk_filter_connect()

A user can set conn_timeout to any value via setsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When a SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in tipc_sk_filter_connect() executes:

delay %= (tsk->conn_timeout / 4);

If conn_timeout is in the range [0, 3], the integer division yields 0, and the modulo operation triggers a divide-by-zero exception, causing a kernel oops/panic.

Fix this by clamping conn_timeout to a minimum of 4 at the point of use in tipc_sk_filter_connect().

Oops: divide error: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+ RIP: 0010:tipc_sk_filter_rcv (net/tipc/socket.c:2236 net/tipc/socket.c:2362) Call Trace: tipc_sk_backlog_rcv (include/linux/instrumented.h:82 include/linux/atomic/atomic-instrumented.h:32 include/net/sock.h:2357 net/tipc/socket.c:2406) __release_sock (include/net/sock.h:1185 net/core/sock.c:3213) release_sock (net/core/sock.c:3797) tipc_connect (net/tipc/socket.c:2570) __sys_connect (include/linux/file.h:62 include/linux/file.h:83 net/socket.c:2098)

AnalysisAI

Divide-by-zero in the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem allows a local low-privileged user to trigger a kernel oops/panic via a crafted setsockopt call. An attacker with local access sets conn_timeout to a value in the range [0, 3] on a TIPC socket, then initiates a connection that receives TIPC_ERR_OVERLOAD, causing integer division by zero in tipc_sk_filter_connect() and crashing the kernel. No public exploit has been identified at time of analysis and EPSS is 0.02%, but the low-complexity, low-privilege local trigger makes this a practical local denial-of-service in shared or container environments.

Technical ContextAI

The vulnerability resides in the TIPC networking subsystem of the Linux kernel, specifically in net/tipc/socket.c at tipc_sk_filter_connect() (line ~2236/2362). TIPC is a cluster-oriented IPC protocol built into the kernel. The root cause is CWE-369 (Divide By Zero): the conn_timeout socket option is user-controlled via setsockopt(TIPC_CONN_TIMEOUT) and has no enforced minimum. When a SYN is rejected with TIPC_ERR_OVERLOAD, the retry delay is computed as 'delay %= (tsk->conn_timeout / 4)'. For conn_timeout values 0-3, integer division produces 0, and the modulo operation triggers a processor divide-error exception (#DE), causing a kernel oops. The oops trace confirms execution under KASAN on the process context stack: tipc_sk_backlog_rcv → __release_sock → release_sock → tipc_connect → __sys_connect. CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* covers all mainstream Linux kernel versions introduced since commit 6787927475e52f6933e3affce365dabb2aa2fadf. The 'Information Disclosure' tag in the source intelligence appears incorrect - the CVSS vector (C:N/I:N/A:H) confirms this is a pure availability impact with no confidentiality loss.

RemediationAI

The primary fix is to upgrade to the patched kernel version for your stable branch: 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or 7.0, sourced from https://git.kernel.org/stable/. The upstream fix clamps conn_timeout to a minimum of 4 at the point of use inside tipc_sk_filter_connect(), preventing integer division by zero. As a compensating control where patching is not immediately possible, disabling TIPC entirely via 'modprobe -r tipc' or blacklisting the tipc module in /etc/modprobe.d/ prevents any exposure at the cost of losing TIPC-based cluster IPC functionality - acceptable for most general-purpose servers that do not use TIPC. Alternatively, restricting creation of TIPC sockets to privileged users via seccomp profiles or LSM (SELinux/AppArmor) socket class policies limits exposure to trusted processes; this reduces attack surface but does not eliminate the vulnerability if any privileged process is exploitable. No vendor advisory URL beyond the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-43411) was present in the reference data.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43411 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy