CVE-2026-43091
Linux Kernel XFRM Policy Netns Exit Race Condition
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's xfrm subsystem related to network namespace (netns) exit handling.
Specifically, the function xfrm_policy_fini() frees certain policy hash tables (policy_bydst) after flushing work items and deleting policies, but it does not wait for concurrent RCU (Read-Copy-Update) readers to finish their read-side critical sections before freeing the memory.
Because these tables are accessed using RCU mechanisms (rcu_assign_pointer() and rcu_dereference_check()), the netns teardown process must wait for an RCU grace period to ensure no readers are still accessing the tables before freeing them.
The fix involves adding a synchronize_rcu() call before freeing the policy hash tables to properly wait for all RCU readers to finish.
How can this vulnerability impact me? :
If this vulnerability is exploited or triggered, it could lead to use-after-free conditions where the kernel frees memory that is still being accessed by concurrent readers.
This can cause system instability, crashes, or potentially allow attackers to execute arbitrary code or cause denial of service by corrupting kernel memory.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is resolved by ensuring that the Linux kernel waits for RCU readers to finish before freeing the policy hash tables during network namespace teardown.
To mitigate this vulnerability, update your Linux kernel to a version that includes the fix which adds synchronize_rcu() before freeing the policy hash tables.