Skip to main content

Linux Kernel CVE-2026-43455

| EUVDEUVD-2026-28761 MEDIUM
2026-05-08 Linux GHSA-qq8v-696h-fhv2
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 18:09 vuln.today
CVSS changed
May 20, 2026 - 18:07 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mctp: route: hold key->lock in mctp_flow_prepare_output()

mctp_flow_prepare_output() checks key->dev and may call mctp_dev_set_key(), but it does not hold key->lock while doing so.

mctp_dev_set_key() and mctp_dev_release_key() are annotated with __must_hold(&key->lock), so key->dev access is intended to be serialized by key->lock. The mctp_sendmsg() transmit path reaches mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output() without holding key->lock, so the check-and-set sequence is racy.

Example interleaving:

CPU0 CPU1 ---- ---- mctp_flow_prepare_output(key, devA) if (!key->dev) // sees NULL mctp_flow_prepare_output( key, devB) if (!key->dev) // still NULL mctp_dev_set_key(devB, key) mctp_dev_hold(devB) key->dev = devB mctp_dev_set_key(devA, key) mctp_dev_hold(devA) key->dev = devA // overwrites devB

Now both devA and devB references were acquired, but only the final key->dev value is tracked for release. One reference can be lost, causing a resource leak as mctp_dev_release_key() would only decrease the reference on one dev.

Fix by taking key->lock around the key->dev check and mctp_dev_set_key() call.

AnalysisAI

Race condition in the Linux kernel MCTP route subsystem allows a local, low-privileged attacker to cause a device reference count leak leading to availability impact. The mctp_flow_prepare_output() function in the MCTP (Management Component Transport Protocol) networking stack fails to hold key->lock around the key->dev check-and-set sequence, enabling two concurrent threads to each acquire a device reference while only the final one is tracked for release - gradually exhausting kernel resources. No public exploit exists and EPSS is 0.02% (7th percentile), indicating very low exploitation probability; patch-confirmed fixes are available across multiple stable kernel branches.

Technical ContextAI

MCTP (Management Component Transport Protocol) is a Linux kernel networking subsystem introduced in Linux 5.16, primarily used for platform management communications such as BMC-to-host or firmware messaging in server/embedded environments. The vulnerability resides in net/mctp/route.c within mctp_flow_prepare_output(), which binds a routing key to a network device during message transmission. The functions mctp_dev_set_key() and mctp_dev_release_key() are annotated with __must_hold(&key->lock), establishing that key->dev access must be serialized under key->lock. However, the transmit call chain mctp_sendmsg() -> mctp_local_output() -> mctp_dst_output() -> mctp_flow_prepare_output() never acquires key->lock, leaving a TOCTOU (Time-of-Check to Time-of-Use) window open. No CWE is assigned by NVD, but the root cause aligns with CWE-667 (Improper Locking) or CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization). The vulnerable code was introduced at commit 67737c457281dd199ceb9e31b6ba7efd3bfe566d (Linux 5.16) and is present in all subsequent versions until the respective stable-branch fix commits.

RemediationAI

Upgrade the Linux kernel to a patched stable release: 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or 7.0. Per-branch upstream commits are available at https://git.kernel.org/stable/c/47893166bc5611ee9a20de6b8d2933b2320fb772 (6.12), https://git.kernel.org/stable/c/86f5334fcb48a5b611c33364ab52ca684d0f6d91 (6.6), https://git.kernel.org/stable/c/0695712f3a6f1a48915f95767cfb42077683dcdc (7.0), https://git.kernel.org/stable/c/925a5ffd99cddd7a7e41d5ad120c7a2c6d50260f (6.18), https://git.kernel.org/stable/c/8d27d9b260dd19c1b519e1a13de6448f9984e30e (6.19), and https://git.kernel.org/stable/c/7d86aa41c073c4e7eb75fd2e674f1fd8f289728a (6.1). For systems that cannot be patched immediately and do not require MCTP, unload the mctp kernel module (modprobe -r mctp) and blacklist it via /etc/modprobe.d/ to prevent the vulnerable code path from being reached - note this disables all MCTP-based platform management communication including BMC messaging, which may impact out-of-band management capabilities in server environments.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43455 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy