CVE-2026-43411
Divide-by-Zero in Linux Kernel TIPC Socket
Publication date: 2026-05-08
Last updated on: 2026-05-21
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.2 (inc) to 6.6.130 (exc) |
| linux | linux_kernel | From 5.11 (inc) to 5.15.203 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.167 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.19 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.78 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.9 (exc) |
| linux | linux_kernel | From 4.20 (inc) to 5.10.253 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-369 | The product divides a value by zero. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is caused by allowing the conn_timeout value to be set below 4, which leads to a divide-by-zero error in the Linux kernel's tipc_sk_filter_connect() function.
To mitigate this vulnerability immediately, ensure that the conn_timeout value used in setsockopt(TIPC_CONN_TIMEOUT) is clamped to a minimum of 4, preventing values less than 4 from being set or used.
Applying the official patch or updating the Linux kernel to a version where this issue is fixed (such as 7.0.0-rc2+ or later) will resolve the problem.
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem, specifically in the function tipc_sk_filter_connect().
A user can set the connection timeout (conn_timeout) to any value using setsockopt(TIPC_CONN_TIMEOUT), including values less than 4.
When a SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in tipc_sk_filter_connect() runs, a modulo operation is performed using conn_timeout divided by 4.
If conn_timeout is between 0 and 3, the division results in zero, causing a divide-by-zero exception during the modulo operation.
This divide-by-zero triggers a kernel oops or panic, which is a serious error causing the kernel to crash or become unstable.
The fix clamps conn_timeout to a minimum value of 4 to prevent this divide-by-zero error.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to crash or panic due to a divide-by-zero error triggered by specially crafted connection timeout values.
A kernel panic or oops can lead to denial of service (DoS), making the affected system unstable or unavailable.
Since the vulnerability can be triggered by a user setting conn_timeout via setsockopt, it may be exploited locally or remotely depending on the system configuration.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes a kernel oops or panic due to a divide-by-zero error in the tipc_sk_filter_connect() function when conn_timeout is set to a value less than 4 via setsockopt(TIPC_CONN_TIMEOUT).
To detect this vulnerability on your system, you can monitor your kernel logs for oops or panic messages related to tipc_sk_filter_rcv or tipc_sk_filter_connect, especially messages indicating a divide error or kernel oops.
Example commands to check for such kernel messages include:
- dmesg | grep -i 'tipc_sk_filter_rcv'
- journalctl -k | grep -i 'divide error'
- journalctl -k | grep -i 'kernel oops'
Additionally, you can audit or monitor usage of setsockopt calls with TIPC_CONN_TIMEOUT to detect if conn_timeout values less than 4 are being set, although this may require custom instrumentation or kernel tracing tools.