CVE-2026-43402
Received Received - Intake
Use-After-Free in Linux Kernel kthread Exit Path

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: kthread: consolidate kthread exit paths to prevent use-after-free Guillaume reported crashes via corrupted RCU callback function pointers during KUnit testing. The crash was traced back to the pidfs rhashtable conversion which replaced the 24-byte rb_node with an 8-byte rhash_head in struct pid, shrinking it from 160 to 144 bytes. struct kthread (without CONFIG_BLK_CGROUP) is also 144 bytes. With CONFIG_SLAB_MERGE_DEFAULT and SLAB_HWCACHE_ALIGN both round up to 192 bytes and share the same slab cache. struct pid.rcu.func and struct kthread.affinity_node both sit at offset 0x78. When a kthread exits via make_task_dead() it bypasses kthread_exit() and misses the affinity_node cleanup. free_kthread_struct() frees the memory while the node is still linked into the global kthread_affinity_list. A subsequent list_del() by another kthread writes through dangling list pointers into the freed and reused memory, corrupting the pid's rcu.func pointer. Instead of patching free_kthread_struct() to handle the missed cleanup, consolidate all kthread exit paths. Turn kthread_exit() into a macro that calls do_exit() and add kthread_do_exit() which is called from do_exit() for any task with PF_KTHREAD set. This guarantees that kthread-specific cleanup always happens regardless of the exit path - make_task_dead(), direct do_exit(), or kthread_exit(). Replace __to_kthread() with a new tsk_is_kthread() accessor in the public header. Export do_exit() since module code using the kthread_exit() macro now needs it directly.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43402
EUVD
EUVD-2026-28708
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel involves improper cleanup during the exit of kernel threads (kthreads). Specifically, when a kthread exits via the make_task_dead() function, it bypasses the usual kthread_exit() cleanup path and misses cleaning up the affinity_node. As a result, the memory for the kthread structure is freed while still linked in a global list, leading to use-after-free conditions.

This use-after-free occurs because another kthread later attempts to remove the freed node from the global list, causing writes through dangling pointers into memory that has already been freed and potentially reused. This corrupts function pointers related to the pid structure, which can cause crashes.

The fix consolidates all kthread exit paths to ensure that kthread-specific cleanup always happens regardless of how the thread exits, preventing the use-after-free condition.


How can this vulnerability impact me? :

This vulnerability can cause kernel crashes due to corrupted function pointers resulting from use-after-free memory errors. Such crashes can lead to system instability, denial of service, or unexpected behavior in the Linux kernel.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by consolidating all kthread exit paths to ensure proper cleanup and prevent use-after-free conditions.

Immediate mitigation involves updating the Linux kernel to a version that includes the fix where kthread_exit() is turned into a macro calling do_exit(), and kthread_do_exit() is added to guarantee kthread-specific cleanup regardless of the exit path.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart