Skip to main content

Linux Kernel EUVDEUVD-2026-28708

| CVE-2026-43402 CRITICAL
Use After Free (CWE-416)
2026-05-08 Linux GHSA-v6fj-q6v9-3hmm
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:32 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 14:21 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

kthread: consolidate kthread exit paths to prevent use-after-free

Guillaume reported crashes via corrupted RCU callback function pointers during KUnit testing. The crash was traced back to the pidfs rhashtable conversion which replaced the 24-byte rb_node with an 8-byte rhash_head in struct pid, shrinking it from 160 to 144 bytes.

struct kthread (without CONFIG_BLK_CGROUP) is also 144 bytes. With CONFIG_SLAB_MERGE_DEFAULT and SLAB_HWCACHE_ALIGN both round up to 192 bytes and share the same slab cache. struct pid.rcu.func and struct kthread.affinity_node both sit at offset 0x78.

When a kthread exits via make_task_dead() it bypasses kthread_exit() and misses the affinity_node cleanup. free_kthread_struct() frees the memory while the node is still linked into the global kthread_affinity_list. A subsequent list_del() by another kthread writes through dangling list pointers into the freed and reused memory, corrupting the pid's rcu.func pointer.

Instead of patching free_kthread_struct() to handle the missed cleanup, consolidate all kthread exit paths. Turn kthread_exit() into a macro that calls do_exit() and add kthread_do_exit() which is called from do_exit() for any task with PF_KTHREAD set. This guarantees that kthread-specific cleanup always happens regardless of the exit path - make_task_dead(), direct do_exit(), or kthread_exit().

Replace __to_kthread() with a new tsk_is_kthread() accessor in the public header. Export do_exit() since module code using the kthread_exit() macro now needs it directly.

AnalysisAI

Use-after-free in Linux kernel kthread subsystem enables memory corruption leading to arbitrary code execution or denial of service. The vulnerability arises when kernel threads exit via make_task_dead() instead of kthread_exit(), bypassing affinity_node cleanup. This causes dangling pointers in the global kthread_affinity_list that corrupt freed memory reused by the SLAB allocator, specifically overwriting RCU callback function pointers in struct pid objects. CVSS rates this 9.8 critical, though the network attack vector appears misclassified since kernel thread manipulation requires local code execution. EPSS score of 0.02% (4th percentile) indicates low predicted exploitation likelihood despite severity. Vendor patches available for Linux 6.18.19, 6.19.9, and 7.0 via upstream commits.

Technical ContextAI

This vulnerability affects the Linux kernel's kthread (kernel thread) management subsystem, specifically the interaction between thread exit paths and SLAB memory allocator reuse. The root cause involves a memory layout collision introduced by the pidfs rhashtable conversion that replaced rb_node (24 bytes) with rhash_head (8 bytes) in struct pid, shrinking it from 160 to 144 bytes. With CONFIG_SLAB_MERGE_DEFAULT and SLAB_HWCACHE_ALIGN enabled, struct pid and struct kthread both round to 192 bytes and share the same SLAB cache. Critical overlapping fields are struct pid.rcu.func and struct kthread.affinity_node at offset 0x78. When kthread exits via make_task_dead() bypassing proper cleanup, free_kthread_struct() frees memory while affinity_node remains linked in the global kthread_affinity_list. Subsequent list_del() operations by other kernel threads write through dangling list pointers into freed memory that has been reallocated for struct pid objects, corrupting RCU callback function pointers. The fix consolidates exit paths by making kthread_exit() call do_exit() and adding kthread_do_exit() invoked from do_exit() for all PF_KTHREAD tasks, guaranteeing cleanup regardless of exit path.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.19, 6.19.9, 7.0 or later. Patches available via upstream Git commits 4729c7b00a347fd37d0cbc265b85f2884c3e06b6, 5a591d7a5e48d30100943940a30a6ab41b15c672, and 28aaa9c39945b7925a1cc1d513c8f21ed38f5e4f consolidating kthread exit paths. Distribution-specific kernel updates should be obtained through normal vendor channels (apt, yum, zypper). For systems unable to immediately patch, no effective workaround exists since the vulnerability resides in core kernel thread management. Disabling CONFIG_SLAB_MERGE_DEFAULT requires kernel recompilation and significantly impacts memory efficiency (not recommended for production). Compensating controls are limited to reducing attack surface by minimizing local access and enforcing strict privilege separation, though this only raises the bar for attackers already possessing kernel-level access. Organizations should prioritize patch deployment during standard maintenance windows given the low EPSS score and absence of active exploitation. Critical infrastructure and systems with untrusted local users should prioritize faster patching timelines.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28708 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy