CVE-2026-43042
Analyzed Analyzed - Analysis Complete
MPLS Label Table Race Condition in Linux Kernel

Publication date: 2026-05-01

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mpls: add seqcount to protect the platform_label{,s} pair The RCU-protected codepaths (mpls_forward, mpls_dump_routes) can have an inconsistent view of platform_labels vs platform_label in case of a concurrent resize (resize_platform_label_table, under platform_mutex). This can lead to OOB accesses. This patch adds a seqcount, so that we get a consistent snapshot. Note that mpls_label_ok is also susceptible to this, so the check against RTA_DST in rtm_to_route_config, done outside platform_mutex, is not sufficient. This value gets passed to mpls_label_ok once more in both mpls_route_add and mpls_route_del, so there is no issue, but that additional check must not be removed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43042
EUVD
EUVD-2026-26641
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 4.1 (inc) to 6.19.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's MPLS (Multiprotocol Label Switching) implementation. Specifically, the codepaths protected by RCU (Read-Copy-Update), such as mpls_forward and mpls_dump_routes, can have an inconsistent view of platform_labels versus platform_label during a concurrent resize operation of the platform_label_table. This inconsistency can lead to out-of-bounds (OOB) memory accesses.

The issue arises because the resize operation is protected by a mutex (platform_mutex), but the RCU-protected codepaths do not have a consistent snapshot of the data during this resize. To fix this, a sequence counter (seqcount) was added to ensure a consistent snapshot is obtained, preventing OOB accesses.

Additionally, the function mpls_label_ok is also susceptible to this inconsistency, so certain checks outside the mutex are not sufficient on their own. The patch ensures these checks remain intact to avoid issues.

Impact Analysis

This vulnerability can lead to out-of-bounds memory accesses in the Linux kernel's MPLS code. Such memory errors can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service.

Because the issue involves concurrent access and resizing of kernel data structures, it could be exploited to compromise system reliability or security, especially on systems using MPLS features.

Mitigation Strategies

The vulnerability in the Linux kernel related to inconsistent views of platform_labels during concurrent resize operations has been resolved by adding a seqcount to ensure consistent snapshots.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this patch which protects the platform_label pairs with seqcount.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43042. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart