CVE-2026-43411
Divide-by-Zero in Linux Kernel TIPC Socket
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 7.0.0-rc2+ |
| linux | kernel | 7.0.0-rc2+ |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes a kernel oops or panic due to a divide-by-zero error in the tipc_sk_filter_connect() function when conn_timeout is set to a value less than 4 via setsockopt(TIPC_CONN_TIMEOUT).
To detect this vulnerability on your system, you can monitor your kernel logs for oops or panic messages related to tipc_sk_filter_rcv or tipc_sk_filter_connect, especially messages indicating a divide error or kernel oops.
Example commands to check for such kernel messages include:
- dmesg | grep -i 'tipc_sk_filter_rcv'
- journalctl -k | grep -i 'divide error'
- journalctl -k | grep -i 'kernel oops'
Additionally, you can audit or monitor usage of setsockopt calls with TIPC_CONN_TIMEOUT to detect if conn_timeout values less than 4 are being set, although this may require custom instrumentation or kernel tracing tools.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is caused by allowing the conn_timeout value to be set below 4, which leads to a divide-by-zero error in the Linux kernel's tipc_sk_filter_connect() function.
To mitigate this vulnerability immediately, ensure that the conn_timeout value used in setsockopt(TIPC_CONN_TIMEOUT) is clamped to a minimum of 4, preventing values less than 4 from being set or used.
Applying the official patch or updating the Linux kernel to a version where this issue is fixed (such as 7.0.0-rc2+ or later) will resolve the problem.
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem, specifically in the function tipc_sk_filter_connect().
A user can set the connection timeout (conn_timeout) to any value using setsockopt(TIPC_CONN_TIMEOUT), including values less than 4.
When a SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in tipc_sk_filter_connect() runs, a modulo operation is performed using conn_timeout divided by 4.
If conn_timeout is between 0 and 3, the division results in zero, causing a divide-by-zero exception during the modulo operation.
This divide-by-zero triggers a kernel oops or panic, which is a serious error causing the kernel to crash or become unstable.
The fix clamps conn_timeout to a minimum value of 4 to prevent this divide-by-zero error.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to crash or panic due to a divide-by-zero error triggered by specially crafted connection timeout values.
A kernel panic or oops can lead to denial of service (DoS), making the affected system unstable or unavailable.
Since the vulnerability can be triggered by a user setting conn_timeout via setsockopt, it may be exploited locally or remotely depending on the system configuration.