Skip to main content

Linux Kernel CVE-2026-43463

| EUVDEUVD-2026-28769 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-08 Linux GHSA-qc73-3qqx-fc2q
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 18:52 vuln.today
CVSS changed
May 20, 2026 - 18:52 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

rxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer()

rxrpc_kernel_lookup_peer() can also return error pointers in addition to NULL, so just checking for NULL is not sufficient.

Fix this by:

(1) Changing rxrpc_kernel_lookup_peer() to return -ENOMEM rather than NULL on allocation failure.

(2) Making the callers in afs use IS_ERR() and PTR_ERR() to pass on the error code returned.

AnalysisAI

Null pointer dereference in the Linux kernel's rxrpc and AFS subsystems allows a local authenticated attacker to trigger a kernel denial of service. The rxrpc_kernel_lookup_peer() function can return either NULL or an error pointer on failure, but its AFS callers only tested for NULL - leaving unchecked error pointer values that, when dereferenced, cause a kernel panic. No public exploit has been identified and EPSS probability sits at 0.02%, indicating low observed exploitation interest; however, the availability impact is rated High by CVSS due to the potential for full system crash.

Technical ContextAI

The affected components are the rxrpc subsystem (Reliable RPC over UDP, used as the transport for the AFS distributed filesystem client in the Linux kernel) and the afs subsystem (Andrew File System). The root cause, classified as CWE-476 (NULL Pointer Dereference), is a broader error-handling defect: rxrpc_kernel_lookup_peer() was documented to return NULL on allocation failure, but could also return an ERR_PTR-encoded error value. Callers in the afs subsystem used only a simple NULL check rather than the kernel's IS_ERR() / PTR_ERR() idiom, meaning non-NULL error pointers were treated as valid peer object pointers and subsequently dereferenced. The fix has two components: (1) normalizing rxrpc_kernel_lookup_peer() to return -ENOMEM (via ERR_PTR) rather than NULL on allocation failure, and (2) updating all afs callers to use IS_ERR() and PTR_ERR() for proper error propagation. CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

The vendor-released patch is available. Upgrade to Linux kernel 6.18.19 or later for the 6.18.x stable series, or 6.19.9 or later for the 6.19.x stable series; mainline (7.0+) includes the fix. The three upstream fix commits are: d55fa7cd4b19ba91b34b307d769c149e56ad0a75, 54331c5dcc6d97683d7ca2788e7ef9c9505e1477, and 4245a79003adf30e67f8e9060915bd05cb31d142 (https://git.kernel.org/stable/c/). For systems that cannot be immediately patched and where AFS client functionality is not required, unloading or blacklisting the 'kAFS' kernel module (kafs or af_rxrpc) eliminates the attack surface entirely; note this disables AFS filesystem mounting as a side effect. Systems that do not use the AFS filesystem client are not exposed regardless of kernel version. No generic network-level compensating control applies because the attack is local.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43463 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy