Skip to main content

Linux Kernel CVE-2026-43481

| EUVDEUVD-2026-30017 HIGH
2026-05-13 Linux GHSA-cjr4-fwc8-qf28
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
6.4 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 19:30 vuln.today
CVSS changed
May 20, 2026 - 17:22 NVD
7.8 (HIGH)
Patch available
May 13, 2026 - 16:33 EUVD
CVE Published
May 13, 2026 - 15:08 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net-shapers: don't free reply skb after genlmsg_reply()

genlmsg_reply() hands the reply skb to netlink, and netlink_unicast() consumes it on all return paths, whether the skb is queued successfully or freed on an error path.

net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit() currently jump to free_msg after genlmsg_reply() fails and call nlmsg_free(msg), which can hit the same skb twice.

Return the genlmsg_reply() error directly and keep free_msg only for pre-reply failures.

AnalysisAI

Double-free condition in the Linux kernel's net-shapers subsystem allows local low-privileged attackers to corrupt kernel memory via the generic netlink interface. The flaw occurs because net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit() incorrectly call nlmsg_free() on a reply skb that was already consumed by genlmsg_reply(), enabling potential privilege escalation. No public exploit identified at time of analysis and EPSS scoring places exploitation probability at only 0.02%.

Technical ContextAI

The vulnerability resides in the net-shapers networking subsystem of the Linux kernel, which uses the generic netlink (genetlink) protocol for userspace-to-kernel communication. The genlmsg_reply() helper internally calls netlink_unicast(), which takes ownership of the socket buffer (skb) and is responsible for freeing it on all return paths - success or failure. The buggy error handling path jumped to a free_msg label that invoked nlmsg_free() on the same already-freed skb, producing a classic double-free condition. While no CWE is assigned in the source data, this matches CWE-415 (Double Free) behavior. The affected CPE strings (cpe:2.3:a:linux:linux) confirm the upstream Linux kernel project as the affected product.

RemediationAI

Upgrade to Linux kernel 6.18.19, 6.19.9, or later stable release containing the fix, per the upstream commits at https://git.kernel.org/stable/c/8738dcc844fff7d0157ee775230e95df3b1884d7, https://git.kernel.org/stable/c/83f7b54242d0abbfce35a55c01322f50962ed3ee, and https://git.kernel.org/stable/c/57885276cc16a2e2b76282c808a4e84cbecb3aae. Distribution-specific kernel updates from Red Hat, Debian, Ubuntu, SUSE, and others should be applied via standard package management once published. As a compensating control until patched, restrict access to the net-shapers generic netlink family by limiting CAP_NET_ADMIN to trusted accounts and consider seccomp or LSM policies that deny the relevant netlink operations for untrusted workloads - note this may break legitimate traffic-shaping management tooling. Container hosts running untrusted tenants should prioritize patching since unprivileged user namespaces can amplify reach to this code path.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43481 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy