CVE-2026-43249
Awaiting Analysis Awaiting Analysis - Queue
Race Condition in Linux Kernel 9p/xen Filesystem

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: 9p/xen: protect xen_9pfs_front_free against concurrent calls The xenwatch thread can race with other back-end change notifications and call xen_9pfs_front_free() twice, hitting the observed general protection fault due to a double-free. Guard the teardown path so only one caller can release the front-end state at a time, preventing the crash. This is a fix for the following double-free: [ 27.052347] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI [ 27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted 6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none) [ 27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150 [ 27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 55 48 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00 <48> 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42 [ 27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246 [ 27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX: 0000000000000000 [ 27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI: 0000000000000000 [ 27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09: 0000000000000000 [ 27.052393] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e46b68 [ 27.052397] R13: 0000000000000200 R14: 0000000000000000 R15: ffff88800a887040 [ 27.052404] FS: 0000000000000000(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000 [ 27.052408] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4: 0000000000050660 [ 27.052418] Call Trace: [ 27.052420] <TASK> [ 27.052422] xen_9pfs_front_changed+0x5d5/0x720 [ 27.052426] ? xenbus_otherend_changed+0x72/0x140 [ 27.052430] ? __pfx_xenwatch_thread+0x10/0x10 [ 27.052434] xenwatch_thread+0x94/0x1c0 [ 27.052438] ? __pfx_autoremove_wake_function+0x10/0x10 [ 27.052442] kthread+0xf8/0x240 [ 27.052445] ? __pfx_kthread+0x10/0x10 [ 27.052449] ? __pfx_kthread+0x10/0x10 [ 27.052452] ret_from_fork+0x16b/0x1a0 [ 27.052456] ? __pfx_kthread+0x10/0x10 [ 27.052459] ret_from_fork_asm+0x1a/0x30 [ 27.052463] </TASK> [ 27.052465] Modules linked in: [ 27.052471] ---[ end trace 0000000000000000 ]---
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43249
EUVD
EUVD-2026-27808
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
xen_project xen *
xen xen *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's 9p/xen subsystem, specifically involving the xen_9pfs_front_free function. The issue arises because the xenwatch thread can race with other back-end change notifications, causing xen_9pfs_front_free() to be called twice concurrently. This leads to a double-free error, which triggers a general protection fault and causes the system to crash.

The fix involves protecting the teardown path so that only one caller can release the front-end state at a time, preventing the double-free and the resulting crash.


How can this vulnerability impact me? :

This vulnerability can cause a system crash due to a double-free error in the Linux kernel's 9p/xen subsystem. Such crashes can lead to denial of service, potentially disrupting operations on affected systems running the vulnerable kernel.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a general protection fault caused by a double-free in the Linux kernel related to the xen_9pfs_front_free function. Detection involves monitoring system logs for specific kernel crash messages.

You can check your system logs (e.g., using dmesg or journalctl) for messages similar to the following kernel oops trace indicating the double-free issue:

  • dmesg | grep -i 'xen_9pfs_front_free'
  • journalctl -k | grep -i 'xen_9pfs_front_free'

Look specifically for general protection faults or oops messages referencing xenwatch and xen_9pfs_front_free, which indicate the race condition and double-free problem.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by guarding the teardown path in the Linux kernel so that only one caller can release the front-end state at a time, preventing the double-free crash.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability.
  • If updating immediately is not possible, consider limiting or disabling the use of the affected 9p/xen filesystem features or xenwatch thread functionality until the patch can be applied.

Monitoring for crash logs as described can also help identify if the vulnerability is being triggered.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart