CVE-2026-43091
Analyzed Analyzed - Analysis Complete
Linux Kernel XFRM Policy Netns Exit Race Condition

Publication date: 2026-05-06

Last updated on: 2026-05-19

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: Wait for RCU readers during policy netns exit xfrm_policy_fini() frees the policy_bydst hash tables after flushing the policy work items and deleting all policies, but it does not wait for concurrent RCU readers to leave their read-side critical sections first. The policy_bydst tables are published via rcu_assign_pointer() and are looked up through rcu_dereference_check(), so netns teardown must also wait for an RCU grace period before freeing the table memory. Fix this by adding synchronize_rcu() before freeing the policy hash tables.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43091
EUVD
EUVD-2026-27592
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.24 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.14 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.83 (exc)
linux linux_kernel From 4.9 (inc) to 6.6.136 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's xfrm subsystem related to network namespace (netns) exit handling.

Specifically, the function xfrm_policy_fini() frees certain policy hash tables (policy_bydst) after flushing work items and deleting policies, but it does not wait for concurrent RCU (Read-Copy-Update) readers to finish their read-side critical sections before freeing the memory.

Because these tables are accessed using RCU mechanisms (rcu_assign_pointer() and rcu_dereference_check()), the netns teardown process must wait for an RCU grace period to ensure no readers are still accessing the tables before freeing them.

The fix involves adding a synchronize_rcu() call before freeing the policy hash tables to properly wait for all RCU readers to finish.

Impact Analysis

If this vulnerability is exploited or triggered, it could lead to use-after-free conditions where the kernel frees memory that is still being accessed by concurrent readers.

This can cause system instability, crashes, or potentially allow attackers to execute arbitrary code or cause denial of service by corrupting kernel memory.

Mitigation Strategies

The vulnerability is resolved by ensuring that the Linux kernel waits for RCU readers to finish before freeing the policy hash tables during network namespace teardown.

To mitigate this vulnerability, update your Linux kernel to a version that includes the fix which adds synchronize_rcu() before freeing the policy hash tables.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43091. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart