CVE-2026-43438
Analyzed Analyzed - Analysis Complete
Use-After-Free in Linux Kernel Sched Ext

Publication date: 2026-05-08

Last updated on: 2026-05-21

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: sched_ext: Remove redundant css_put() in scx_cgroup_init() The iterator css_for_each_descendant_pre() walks the cgroup hierarchy under cgroup_lock(). It does not increment the reference counts on yielded css structs. According to the cgroup documentation, css_put() should only be used to release a reference obtained via css_get() or css_tryget_online(). Since the iterator does not use either of these to acquire a reference, calling css_put() in the error path of scx_cgroup_init() causes a refcount underflow. Remove the unbalanced css_put() to prevent a potential Use-After-Free (UAF) vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-21
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43438
EUVD
EUVD-2026-28744
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.12 (inc) to 6.12.78 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.19 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's scheduler extension (sched_ext) related to cgroup management. Specifically, the function scx_cgroup_init() incorrectly calls css_put() in an error path, even though the iterator css_for_each_descendant_pre() does not increment reference counts on the css structs it yields. Since css_put() should only be called to release references obtained via css_get() or css_tryget_online(), this unbalanced call causes a reference count underflow.

The consequence of this is a potential Use-After-Free (UAF) vulnerability, where memory that has already been freed might be accessed again, leading to undefined behavior or security risks.

Impact Analysis

This vulnerability can lead to a Use-After-Free condition in the Linux kernel, which may allow an attacker to execute arbitrary code, cause a system crash, or escalate privileges by exploiting the improper memory management.

Such impacts can compromise system stability and security, potentially allowing unauthorized access or denial of service.

Mitigation Strategies

The vulnerability is resolved by removing the unbalanced css_put() call in the Linux kernel's sched_ext subsystem. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

  • Identify your current Linux kernel version.
  • Check for available kernel updates from your Linux distribution that address this issue.
  • Apply the kernel update and reboot your system to load the patched kernel.
  • If immediate update is not possible, consider restricting access to the affected kernel subsystems to trusted users only.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43438. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart