Skip to main content

Linux Kernel EUVDEUVD-2026-27592

| CVE-2026-43091 HIGH
2026-05-06 Linux GHSA-jrph-46wx-r2g3
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:25 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfrm: Wait for RCU readers during policy netns exit

xfrm_policy_fini() frees the policy_bydst hash tables after flushing the policy work items and deleting all policies, but it does not wait for concurrent RCU readers to leave their read-side critical sections first.

The policy_bydst tables are published via rcu_assign_pointer() and are looked up through rcu_dereference_check(), so netns teardown must also wait for an RCU grace period before freeing the table memory.

Fix this by adding synchronize_rcu() before freeing the policy hash tables.

AnalysisAI

Use-after-free in Linux kernel's XFRM subsystem allows local authenticated users to gain elevated privileges through a race condition during network namespace teardown. The xfrm_policy_fini() function frees policy hash tables without waiting for concurrent RCU readers, enabling attackers with low-level privileges to exploit the timing window between policy deletion and memory deallocation. EPSS score is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis, but CVSS 7.8 reflects high impact if successfully exploited. Vendor-released patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, mainline 7.0).

Technical ContextAI

The vulnerability resides in the Linux kernel's XFRM (IPsec transformation) framework, specifically in the policy management subsystem that handles network namespace cleanup. XFRM policies use RCU (Read-Copy-Update) synchronization for lockless reads: policy_bydst hash tables are published via rcu_assign_pointer() and accessed via rcu_dereference_check(). The affected code path in xfrm_policy_fini() performs netns teardown by flushing work items and deleting policies, then immediately frees the hash table memory without calling synchronize_rcu(). This violates RCU semantics where readers may still hold references during their grace period. CPE data confirms widespread impact across Linux kernel versions starting from the commit e1e551bc56302b80ff930c966f9985095fb1b70d in version 4.9 forward. The root cause is a classic RCU use-after-free race: concurrent readers in critical sections can access freed memory if the grace period hasn't elapsed, leading to memory corruption. The fix adds a single synchronize_rcu() call before kfree() to ensure all RCU readers complete their critical sections before memory deallocation.

RemediationAI

Upgrade to patched Linux kernel versions: 6.6.136+ for the 6.6.x LTS branch, 6.12.83+ for 6.12.x, 6.18.24+ for 6.18.x, 6.19.14+ for 6.19.x, or 7.0+ for mainline. Specific patch commits available at https://git.kernel.org/stable/c/438b1f668ad58f46ce699bb48e4698a7839e3f9e (6.6.x), https://git.kernel.org/stable/c/33a3149dd81a1e2f52b80ee1e0fc380b39f3d028 (6.12.x), https://git.kernel.org/stable/c/b66920a3348c0f63ba18365248fa21fbf0b3a937 (6.18.x), https://git.kernel.org/stable/c/3733fce2871c9bca9dd18a1a23b1432ea215a094 (6.19.x), and https://git.kernel.org/stable/c/069daad4f2ae9c5c108131995529d5f02392c446 (mainline). If immediate patching is not feasible, compensating controls include: restricting unprivileged user namespaces via sysctl kernel.unprivileged_userns_clone=0 (prevents namespace creation by non-root users, breaking some containerized workflows and user-mode applications like Chrome sandboxing), applying strict container seccomp profiles blocking unshare() and clone() with CLONE_NEWNET (reduces container escape risk but may break legitimate networking tools), and implementing mandatory access controls (SELinux/AppArmor) to restrict namespace operations (requires policy customization per workload). These mitigations reduce attack surface but do not eliminate the race condition-patching remains the only complete fix. Side effect: disabling user namespaces breaks rootless containers (Podman, Docker rootless mode) and Flatpak sandboxing.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27592 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy