CVE-2026-43374
Received Received - Intake
Use-After-Free in Linux Kernel Nexthop Group Management

Publication date: 2026-05-08

Last updated on: 2026-05-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: nexthop: fix percpu use-after-free in remove_nh_grp_entry When removing a nexthop from a group, remove_nh_grp_entry() publishes the new group via rcu_assign_pointer() then immediately frees the removed entry's percpu stats with free_percpu(). However, the synchronize_net() grace period in the caller remove_nexthop_from_groups() runs after the free. RCU readers that entered before the publish still see the old group and can dereference the freed stats via nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a use-after-free on percpu memory. Fix by deferring the free_percpu() until after synchronize_net() in the caller. Removed entries are chained via nh_list onto a local deferred free list. After the grace period completes and all RCU readers have finished, the percpu stats are safely freed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43374
EUVD
EUVD-2026-28680
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's networking code related to nexthop groups. When a nexthop is removed from a group, the function remove_nh_grp_entry() updates the group pointer and immediately frees the removed entry's per-CPU statistics memory. However, the synchronization that ensures all readers have finished accessing the old data happens after this free operation. As a result, readers that started before the update may still access the freed memory, causing a use-after-free condition on per-CPU memory.

The fix involves deferring the freeing of the per-CPU statistics until after the synchronization grace period completes, ensuring no readers are accessing the freed memory.

Impact Analysis

This use-after-free vulnerability can lead to undefined behavior in the Linux kernel, including potential system crashes, data corruption, or security issues such as privilege escalation or denial of service. Since it involves kernel memory management, exploitation could compromise system stability or security.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by fixing the use-after-free issue in the nexthop group removal code. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

  • Identify the current kernel version running on your system.
  • Check for available kernel updates from your Linux distribution that address this issue.
  • Apply the kernel update and reboot the system to load the patched kernel.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43374. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart