CVE-2026-43411
Analyzed Analyzed - Analysis Complete
Divide-by-Zero in Linux Kernel TIPC Socket

Publication date: 2026-05-08

Last updated on: 2026-05-21

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: tipc: fix divide-by-zero in tipc_sk_filter_connect() A user can set conn_timeout to any value via setsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When a SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in tipc_sk_filter_connect() executes: delay %= (tsk->conn_timeout / 4); If conn_timeout is in the range [0, 3], the integer division yields 0, and the modulo operation triggers a divide-by-zero exception, causing a kernel oops/panic. Fix this by clamping conn_timeout to a minimum of 4 at the point of use in tipc_sk_filter_connect(). Oops: divide error: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+ RIP: 0010:tipc_sk_filter_rcv (net/tipc/socket.c:2236 net/tipc/socket.c:2362) Call Trace: tipc_sk_backlog_rcv (include/linux/instrumented.h:82 include/linux/atomic/atomic-instrumented.h:32 include/net/sock.h:2357 net/tipc/socket.c:2406) __release_sock (include/net/sock.h:1185 net/core/sock.c:3213) release_sock (net/core/sock.c:3797) tipc_connect (net/tipc/socket.c:2570) __sys_connect (include/linux/file.h:62 include/linux/file.h:83 net/socket.c:2098)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-21
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43411
EUVD
EUVD-2026-28717
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.19 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.9 (exc)
linux linux_kernel From 4.20 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-369 The product divides a value by zero.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is caused by allowing the conn_timeout value to be set below 4, which leads to a divide-by-zero error in the Linux kernel's tipc_sk_filter_connect() function.

To mitigate this vulnerability immediately, ensure that the conn_timeout value used in setsockopt(TIPC_CONN_TIMEOUT) is clamped to a minimum of 4, preventing values less than 4 from being set or used.

Applying the official patch or updating the Linux kernel to a version where this issue is fixed (such as 7.0.0-rc2+ or later) will resolve the problem.

Executive Summary

This vulnerability exists in the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem, specifically in the function tipc_sk_filter_connect().

A user can set the connection timeout (conn_timeout) to any value using setsockopt(TIPC_CONN_TIMEOUT), including values less than 4.

When a SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in tipc_sk_filter_connect() runs, a modulo operation is performed using conn_timeout divided by 4.

If conn_timeout is between 0 and 3, the division results in zero, causing a divide-by-zero exception during the modulo operation.

This divide-by-zero triggers a kernel oops or panic, which is a serious error causing the kernel to crash or become unstable.

The fix clamps conn_timeout to a minimum value of 4 to prevent this divide-by-zero error.

Impact Analysis

This vulnerability can cause the Linux kernel to crash or panic due to a divide-by-zero error triggered by specially crafted connection timeout values.

A kernel panic or oops can lead to denial of service (DoS), making the affected system unstable or unavailable.

Since the vulnerability can be triggered by a user setting conn_timeout via setsockopt, it may be exploited locally or remotely depending on the system configuration.

Detection Guidance

This vulnerability causes a kernel oops or panic due to a divide-by-zero error in the tipc_sk_filter_connect() function when conn_timeout is set to a value less than 4 via setsockopt(TIPC_CONN_TIMEOUT).

To detect this vulnerability on your system, you can monitor your kernel logs for oops or panic messages related to tipc_sk_filter_rcv or tipc_sk_filter_connect, especially messages indicating a divide error or kernel oops.

Example commands to check for such kernel messages include:

  • dmesg | grep -i 'tipc_sk_filter_rcv'
  • journalctl -k | grep -i 'divide error'
  • journalctl -k | grep -i 'kernel oops'

Additionally, you can audit or monitor usage of setsockopt calls with TIPC_CONN_TIMEOUT to detect if conn_timeout values less than 4 are being set, although this may require custom instrumentation or kernel tracing tools.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43411. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart