CVE-2026-43050
Awaiting Analysis Awaiting Analysis - Queue
Use-After-Free in Linux Kernel ATM LEC Module

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: atm: lec: fix use-after-free in sock_def_readable() A race condition exists between lec_atm_close() setting priv->lecd to NULL and concurrent access to priv->lecd in send_to_lecd(), lec_handle_bridge(), and lec_atm_send(). When the socket is freed via RCU while another thread is still using it, a use-after-free occurs in sock_def_readable() when accessing the socket's wait queue. The root cause is that lec_atm_close() clears priv->lecd without any synchronization, while callers dereference priv->lecd without any protection against concurrent teardown. Fix this by converting priv->lecd to an RCU-protected pointer: - Mark priv->lecd as __rcu in lec.h - Use rcu_assign_pointer() in lec_atm_close() and lecd_attach() for safe pointer assignment - Use rcu_access_pointer() for NULL checks that do not dereference the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and lecd_attach() - Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(), lec_handle_bridge() and lec_atm_send() to safely access lecd - Use rcu_assign_pointer() followed by synchronize_rcu() in lec_atm_close() to ensure all readers have completed before proceeding. This is safe since lec_atm_close() is called from vcc_release() which holds lock_sock(), a sleeping lock. - Remove the manual sk_receive_queue drain from lec_atm_close() since vcc_destroy_socket() already drains it after lec_atm_close() returns. v2: Switch from spinlock + sock_hold/put approach to RCU to properly fix the race. The v1 spinlock approach had two issues pointed out by Eric Dumazet: 1. priv->lecd was still accessed directly after releasing the lock instead of using a local copy. 2. The spinlock did not prevent packets being queued after lec_atm_close() drains sk_receive_queue since timer and workqueue paths bypass netif_stop_queue(). Note: Syzbot patch testing was attempted but the test VM terminated unexpectedly with "Connection to localhost closed by remote host", likely due to a QEMU AHCI emulation issue unrelated to this fix. Compile testing with "make W=1 net/atm/lec.o" passes cleanly.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-43050
EUVD
EUVD-2026-26649
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel *
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free issue in the Linux kernel's ATM LEC (Logical Link Control) code, specifically in the function sock_def_readable().

A race condition occurs because lec_atm_close() sets a pointer (priv->lecd) to NULL without synchronization, while other functions concurrently access this pointer. If the socket is freed while another thread is still using it, the code tries to access memory that has already been freed, causing a use-after-free.

The fix involves converting priv->lecd to an RCU-protected pointer and using appropriate RCU mechanisms (like rcu_assign_pointer, rcu_access_pointer, rcu_read_lock, etc.) to ensure safe concurrent access and prevent the race condition.


How can this vulnerability impact me? :

A use-after-free vulnerability can lead to undefined behavior such as system crashes, memory corruption, or potentially allow an attacker to execute arbitrary code or escalate privileges if exploited.

In this specific case, the race condition in the ATM LEC code could cause kernel instability or crashes, impacting system reliability and security.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by applying the patch that converts priv->lecd to an RCU-protected pointer in the Linux kernel's atm: lec module.

  • Update your Linux kernel to a version that includes the fix for CVE-2026-43050.
  • Ensure that the fix includes the use of rcu_assign_pointer(), rcu_access_pointer(), and proper RCU locking mechanisms as described.
  • Avoid using any kernel versions that still use the vulnerable spinlock + sock_hold/put approach.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart