CVE-2026-43374
Published: May 8, 2026
Modified: May 11, 2026
CVSS v3.1
7.8
Description
In the Linux kernel, the following vulnerability has been resolved: net: nexthop: fix percpu use-after-free in remove_nh_grp_entry When removing a nexthop from a group, remove_nh_grp_entry() publishes the new group via rcu_assign_pointer() then immediately frees the removed entry's percpu stats with free_percpu(). However, the synchronize_net() grace period in the caller remove_nexthop_from_groups() runs after the free. RCU readers that entered before the publish still see the old group and can dereference the freed stats via nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a use-after-free on percpu memory. Fix by deferring the free_percpu() until after synchronize_net() in the caller. Removed entries are chained via nh_list onto a local deferred free list. After the grace period completes and all RCU readers have finished, the percpu stats are safely freed.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected f4676ea74b8549cd88dbfe2a592ce4530039e61f - < abf4feaee6405f1441929c6ebe7a250f2cd170a7affected f4676ea74b8549cd88dbfe2a592ce4530039e61f - < ab5ebab9664214ba41a7633cb4e72f128204f924affected f4676ea74b8549cd88dbfe2a592ce4530039e61f - < 9e08ad731862b22a87cc55f752e16d66cdc9e231affected f4676ea74b8549cd88dbfe2a592ce4530039e61f - < b2662e7593e94ae09b1cf7ee5f09160a3612bcb2 |
Linux | Linux | affected 6.9unaffected 0 - < 6.9unaffected 6.12.78 - <= 6.12.*unaffected 6.18.19 - <= 6.18.*unaffected 6.19.9 - <= 6.19.*+1 more versions |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now