CVE-2026-43050

HIGH EPSS 2.0%
Published May 1, 20261mo ago · Modified Jun 17, 20261w ago
7.0 CVSS 3.1
High
Find Similar
Published May 1, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: atm: lec: fix use-after-free in sock_def_readable() A race condition exists between lec_atm_close() setting priv->lecd to NULL and concurrent access to priv->lecd in send_to_lecd(), lec_handle_bridge(), and lec_atm_send(). When the socket is freed via RCU while another thread is still using it, a use-after-free occurs in sock_def_readable() when accessing the socket's wait queue. The root cause is that lec_atm_close() clears priv->lecd without any synchronization, while callers dereference priv->lecd without any protection against concurrent teardown. Fix this by converting priv->lecd to an RCU-protected pointer: - Mark priv->lecd as __rcu in lec.h - Use rcu_assign_pointer() in lec_atm_close() and lecd_attach() for safe pointer assignment - Use rcu_access_pointer() for NULL checks that do not dereference the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and lecd_attach() - Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(), lec_handle_bridge() and lec_atm_send() to safely access lecd - Use rcu_assign_pointer() followed by synchronize_rcu() in lec_atm_close() to ensure all readers have completed before proceeding. This is safe since lec_atm_close() is called from vcc_release() which holds lock_sock(), a sleeping lock. - Remove the manual sk_receive_queue drain from lec_atm_close() since vcc_destroy_socket() already drains it after lec_atm_close() returns. v2: Switch from spinlock + sock_hold/put approach to RCU to properly fix the race. The v1 spinlock approach had two issues pointed out by Eric Dumazet: 1. priv->lecd was still accessed directly after releasing the lock instead of using a local copy. 2. The spinlock did not prevent packets being queued after lec_atm_close() drains sk_receive_queue since timer and workqueue paths bypass netif_stop_queue(). Note: Syzbot patch testing was attempted but the test VM terminated unexpectedly with "Connection to localhost closed by remote host", likely due to a QEMU AHCI emulation issue unrelated to this fix. Compile testing with "make W=1 net/atm/lec.o" passes cleanly.

CVSS Details

Base Score
7.0
Exploitability
1.0
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 16

VendorProductVersionRange
linuxlinux_kernel*≥2.6.12.1  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.168
linuxlinux_kernel*≥6.2  –  <6.6.134
linuxlinux_kernel*≥6.7  –  <6.12.81
linuxlinux_kernel*≥6.13  –  <6.18.22
linuxlinux_kernel*≥6.19  –  <6.19.12
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/317843d5355062020649124eb4a0d7acbcc3f53e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3989740fa4978e1d2d51ecc62be1b01093e104ad
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3e8b25f32f2f35549d03d77da030a24a45bdef5b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5fbbb1ff936d7ff9528d929c1549977e8123d8a8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/750a33f417f3d196b86375f8d9f8938bacf130fe
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/922814879542c2e397b0e9641fd36b8202a8e555
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/abc10f85a3965ac14b9ed7ad3e67b35604a63aa3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b256d055da47258e63f8b40965f276c5f23d229a
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/317843d5355062020649124eb4a0d7acbcc3f53e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3989740fa4978e1d2d51ecc62be1b01093e104ad
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3e8b25f32f2f35549d03d77da030a24a45bdef5b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5fbbb1ff936d7ff9528d929c1549977e8123d8a8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/750a33f417f3d196b86375f8d9f8938bacf130fe
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/922814879542c2e397b0e9641fd36b8202a8e555
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/abc10f85a3965ac14b9ed7ad3e67b35604a63aa3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b256d055da47258e63f8b40965f276c5f23d229a
    Patch