Skip to main content

Linux Kernel EUVDEUVD-2026-26649

| CVE-2026-43050 HIGH
Use After Free (CWE-416)
2026-05-01 Linux
High
Disputed · 7.0 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
3.1 LOW
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 20:30 vuln.today
CVSS changed
May 07, 2026 - 18:22 NVD
7.0 (HIGH)
Patch available
May 01, 2026 - 16:33 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26649
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 7.0
CVE Published
May 01, 2026 - 14:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

atm: lec: fix use-after-free in sock_def_readable()

A race condition exists between lec_atm_close() setting priv->lecd to NULL and concurrent access to priv->lecd in send_to_lecd(), lec_handle_bridge(), and lec_atm_send(). When the socket is freed via RCU while another thread is still using it, a use-after-free occurs in sock_def_readable() when accessing the socket's wait queue.

The root cause is that lec_atm_close() clears priv->lecd without any synchronization, while callers dereference priv->lecd without any protection against concurrent teardown.

Fix this by converting priv->lecd to an RCU-protected pointer:

  • Mark priv->lecd as __rcu in lec.h
  • Use rcu_assign_pointer() in lec_atm_close() and lecd_attach()

for safe pointer assignment

  • Use rcu_access_pointer() for NULL checks that do not dereference

the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and lecd_attach()

  • Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(),

lec_handle_bridge() and lec_atm_send() to safely access lecd

  • Use rcu_assign_pointer() followed by synchronize_rcu() in

lec_atm_close() to ensure all readers have completed before proceeding. This is safe since lec_atm_close() is called from vcc_release() which holds lock_sock(), a sleeping lock.

  • Remove the manual sk_receive_queue drain from lec_atm_close()

since vcc_destroy_socket() already drains it after lec_atm_close() returns.

v2: Switch from spinlock + sock_hold/put approach to RCU to properly fix the race. The v1 spinlock approach had two issues pointed out by Eric Dumazet:

  1. priv->lecd was still accessed directly after releasing the

lock instead of using a local copy.

  1. The spinlock did not prevent packets being queued after

lec_atm_close() drains sk_receive_queue since timer and workqueue paths bypass netif_stop_queue().

Note: Syzbot patch testing was attempted but the test VM terminated unexpectedly with "Connection to localhost closed by remote host", likely due to a QEMU AHCI emulation issue unrelated to this fix. Compile testing with "make W=1 net/atm/lec.o" passes cleanly.

AnalysisAI

Race condition in Linux kernel ATM LEC driver allows local attackers with low privileges to trigger use-after-free memory corruption in sock_def_readable(), potentially achieving arbitrary code execution, privilege escalation, or denial of service. The flaw affects systems using ATM (Asynchronous Transfer Mode) LAN Emulation Client functionality, present since Linux kernel version 2.4 (commit 1da177e4c3f4). EPSS score of 0.02% (7th percentile) suggests low probability of mass exploitation. Vendor patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). Not listed in CISA KEV; no public exploit code identified at time of analysis.

Technical ContextAI

The vulnerability resides in the Linux kernel's ATM (Asynchronous Transfer Mode) LAN Emulation Client (LEC) driver (net/atm/lec.c), which provides legacy ATM network support. The root cause is a CWE-416 use-after-free condition in the socket handling layer. When lec_atm_close() sets priv->lecd to NULL without synchronization, concurrent threads executing send_to_lecd(), lec_handle_bridge(), or lec_atm_send() may still hold references to the freed socket structure. This creates a classic time-of-check-to-time-of-use (TOCTOU) race where RCU (Read-Copy-Update) callbacks haven't yet completed when the socket's wait queue is accessed in sock_def_readable(). The CPE data confirms this affects all Linux kernel versions from the initial ATM implementation (2.4 era commit 1da177e4c3f4) through current mainline. The fix migrates priv->lecd to RCU-protected pointer semantics with rcu_assign_pointer(), rcu_dereference(), and synchronize_rcu() barriers to enforce proper memory ordering and grace periods.

RemediationAI

Update to patched Linux kernel versions: 5.10.253+ (LTS), 5.15.203+ (LTS), 6.1.168+ (LTS), 6.6.134+ (stable), 6.12.81+ (stable), 6.18.22+ (stable), 6.19.12+ (stable), or 7.0 final release. Patch commits available at https://git.kernel.org/stable/c/317843d5355062020649124eb4a0d7acbcc3f53e (mainline) and corresponding stable branch commits (see references). For systems where immediate kernel upgrade is not feasible, disable ATM LEC functionality by unloading the lec module (modprobe -r lec) or blacklisting it (/etc/modprobe.d/blacklist-atm.conf: blacklist lec). This mitigation eliminates attack surface but breaks ATM network connectivity-only viable if ATM is not operationally required. Verify ATM usage before disabling: check lsmod | grep lec and review network interface configurations (ip link show type atm). No firewall or access control workarounds are effective as this is a local privilege escalation flaw. Monitor vendor security advisories for distribution-specific patched packages (RHEL, Ubuntu, SUSE, Debian kernel updates).

Vendor StatusVendor

SUSE

Severity: Low
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26649 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy