CVE-2026-43198
Analyzed Analyzed - Analysis Complete
Race Condition in Linux Kernel TCP Stack

Publication date: 2026-05-06

Last updated on: 2026-05-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: tcp: fix potential race in tcp_v6_syn_recv_sock() Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock() is done too late. After tcp_v4_syn_recv_sock(), the child socket is already visible from TCP ehash table and other cpus might use it. Since newinet->pinet6 is still pointing to the listener ipv6_pinfo bad things can happen as syzbot found. Move the problematic code in tcp_v6_mapped_child_init() and call this new helper from tcp_v4_syn_recv_sock() before the ehash insertion. This allows the removal of one tcp_sync_mss(), since tcp_v4_syn_recv_sock() will call it with the correct context.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-43198
EUVD
EUVD-2026-27757
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.6 (exc)
linux linux_kernel From 2.6.12.1 (inc) to 6.18.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's TCP implementation, specifically in the function tcp_v6_syn_recv_sock(). The issue arises because some code is executed too late after the call to tcp_v4_syn_recv_sock(), which causes the child socket to become visible prematurely in the TCP ehash table. This premature visibility allows other CPUs to access the child socket while it is still in an inconsistent state, as the newinet->pinet6 pointer still references the listener's ipv6_pinfo. This race condition can lead to unexpected or erroneous behavior.

The fix involved moving the problematic code into a new helper function tcp_v6_mapped_child_init() and calling this helper from tcp_v4_syn_recv_sock() before the child socket is inserted into the ehash table. This ensures the child socket is fully initialized before becoming visible to other CPUs.

Impact Analysis

This vulnerability can lead to race conditions in the TCP stack of the Linux kernel, potentially causing instability or unexpected behavior in network connections. Since the child socket may be accessed before it is fully initialized, this could result in data corruption, denial of service, or other unpredictable network issues.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43198. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart