Skip to main content

Linux Kernel EUVDEUVD-2026-26610

| CVE-2026-43011 CRITICAL
Double Free (CWE-415)
2026-05-01 Linux
9.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:33 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
9.8 (CRITICAL)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26610
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:15 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/x25: Fix potential double free of skb

When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at line 48 and returns 1 (error). This error propagates back through the call chain:

x25_queue_rx_frame returns 1

| v x25_state3_machine receives the return value 1 and takes the else branch at line 278, setting queued=0 and returning 0

| v x25_process_rx_frame returns queued=0

| v x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb) again

This would free the same skb twice. Looking at x25_backlog_rcv:

net/x25/x25_in.c:x25_backlog_rcv() { ... queued = x25_process_rx_frame(sk, skb); ... if (!queued) kfree_skb(skb); }

AnalysisAI

Double-free vulnerability in Linux kernel X.25 networking subsystem allows remote network attackers to potentially achieve denial of service or arbitrary code execution. The flaw occurs in x25_queue_rx_frame when socket buffer allocation fails, causing the same skb to be freed twice through the call chain from x25_backlog_rcv. Despite critical CVSS 9.8 score, exploitation probability remains low (EPSS 2%, 7th percentile) with no confirmed active exploitation (not in CISA KEV) and no public exploit code identified. Patches available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0).

Technical ContextAI

This vulnerability affects the X.25 protocol implementation in the Linux kernel networking stack, specifically the receive frame processing path. X.25 is a legacy packet-switched network protocol defined in the ISO/IEC 8208 standard, still used in some industrial control systems and legacy telecommunications infrastructure. The bug is a use-after-free/double-free memory corruption issue in error handling code. When x25_queue_rx_frame attempts to allocate a socket buffer via alloc_skb and fails, it frees the original skb and returns an error code. However, the calling function x25_backlog_rcv misinterprets the return value chain (through x25_state3_machine and x25_process_rx_frame) and frees the same skb again. This represents a classic reference counting error where error propagation semantics are inconsistent across the call stack. The affected code path has existed since the initial git import (commit 1da177e4c3f4), indicating a 20+ year old latent defect. Double-free vulnerabilities can lead to heap corruption, potentially exploitable for arbitrary code execution if an attacker can control heap layout and trigger the condition reliably.

RemediationAI

Update to patched kernel versions: 5.10.253 or later for 5.10.x branch, 5.15.203+ for 5.15.x, 6.1.168+ for 6.1.x, 6.6.134+ for 6.6.x, 6.12.81+ for 6.12.x, 6.18.22+ for 6.18.x, 6.19.12+ for 6.19.x, or upgrade to mainline 7.0 or later. Patch details available at https://git.kernel.org/stable/c/143d4fa68ae9efb83b0c55b12cc7f0d03732a2b1 and related commits. If immediate patching is not feasible, disable X.25 protocol support by unloading the x25 kernel module (rmmod x25) or blacklisting it (/etc/modprobe.d/blacklist.conf: blacklist x25) - this completely eliminates attack surface with no functional impact unless X.25 networking is actively required. For systems requiring X.25 functionality, implement network-level access controls restricting X.25 traffic to trusted sources only, though this only reduces exposure and does not eliminate the vulnerability. Note that disabling X.25 will break any applications or network configurations dependent on this legacy protocol; verify no critical systems rely on X.25 before blacklisting. Reboot required after kernel update to load patched version.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26610 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy