Skip to main content

Linux Kernel CVE-2026-43438

| EUVDEUVD-2026-28744 HIGH
Use After Free (CWE-416)
2026-05-08 Linux GHSA-h262-73j6-24h2
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:35 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 14:22 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

sched_ext: Remove redundant css_put() in scx_cgroup_init()

The iterator css_for_each_descendant_pre() walks the cgroup hierarchy under cgroup_lock(). It does not increment the reference counts on yielded css structs.

According to the cgroup documentation, css_put() should only be used to release a reference obtained via css_get() or css_tryget_online(). Since the iterator does not use either of these to acquire a reference, calling css_put() in the error path of scx_cgroup_init() causes a refcount underflow.

Remove the unbalanced css_put() to prevent a potential Use-After-Free (UAF) vulnerability.

AnalysisAI

Reference count underflow in Linux kernel sched_ext subsystem enables local privilege escalation to execute arbitrary code with kernel privileges. The flaw affects kernel versions 6.12 through 6.19.x (prior to patched releases 6.12.78, 6.18.19, 6.19.9, 7.0), scoring CVSS 7.8 with local attack vector requiring low privileges. Vendor patches available via stable kernel updates. EPSS exploitation probability is low (0.02%, 5th percentile) with no public exploit code or active exploitation confirmed at time of analysis, though the Use-After-Free primitive could enable kernel memory corruption attacks.

Technical ContextAI

The vulnerability exists in the sched_ext (scheduler extensions) subsystem of the Linux kernel, specifically in the scx_cgroup_init() function's error handling path. The code improperly calls css_put() on cgroup subsystem state (css) structures obtained from css_for_each_descendant_pre() iterator. According to kernel cgroup API contracts, this iterator walks the cgroup hierarchy under cgroup_lock() without incrementing reference counts on yielded css structs. The css_put() function should only release references explicitly acquired via css_get() or css_tryget_online(). Calling css_put() without a corresponding reference acquisition causes a reference count underflow, corrupting kernel memory management state and creating a Use-After-Free condition. This affects the CPU scheduler's cgroup integration layer, a foundational component for container resource management. The affected CPE strings (cpe:2.3:a:linux:linux) with version-specific Git commit hashes indicate patches applied to multiple stable kernel branches (6.12.x, 6.18.x, 6.19.x, 7.0).

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.78 or later for the 6.12 series, 6.18.19 or later for 6.18 series, 6.19.9 or later for 6.19 series, or upgrade to kernel 7.0 or later. Patches are available from the official kernel.org stable repositories at the Git commit URLs listed in CVE references (cc095cd305fd, 6eaaa67d6998, bf50f3285eda, 1336b579f607). Organizations unable to immediately patch should consider temporarily disabling sched_ext scheduler extensions if not required for production workloads, though this may impact custom scheduler policies in containerized environments. For mission-critical systems where kernel upgrades require extended testing windows, restrict local user access and implement mandatory access controls (SELinux, AppArmor) to limit cgroup manipulation capabilities to trusted administrative accounts only, though this reduces rather than eliminates risk. Monitor kernel logs for cgroup initialization failures or unexpected css reference count warnings as potential exploitation indicators.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43438 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy