CVE-2026-43374

HIGH EPSS 2.6%
Published May 8, 20261mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published May 8, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net: nexthop: fix percpu use-after-free in remove_nh_grp_entry When removing a nexthop from a group, remove_nh_grp_entry() publishes the new group via rcu_assign_pointer() then immediately frees the removed entry's percpu stats with free_percpu(). However, the synchronize_net() grace period in the caller remove_nexthop_from_groups() runs after the free. RCU readers that entered before the publish still see the old group and can dereference the freed stats via nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a use-after-free on percpu memory. Fix by deferring the free_percpu() until after synchronize_net() in the caller. Removed entries are chained via nh_list onto a local deferred free list. After the grace period completes and all RCU readers have finished, the percpu stats are safely freed.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 7

VendorProductVersionRange
linuxlinux_kernel*≥6.9  –  <6.12.78
linuxlinux_kernel*≥6.13  –  <6.18.19
linuxlinux_kernel*≥6.19  –  <6.19.9
linuxlinux_kernel6.9any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 4

  • git.kernel.org https://git.kernel.org/stable/c/9e08ad731862b22a87cc55f752e16d66cdc9e231
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ab5ebab9664214ba41a7633cb4e72f128204f924
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/abf4feaee6405f1441929c6ebe7a250f2cd170a7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b2662e7593e94ae09b1cf7ee5f09160a3612bcb2
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/9e08ad731862b22a87cc55f752e16d66cdc9e231
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ab5ebab9664214ba41a7633cb4e72f128204f924
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/abf4feaee6405f1441929c6ebe7a250f2cd170a7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b2662e7593e94ae09b1cf7ee5f09160a3612bcb2
    Patch