CVE-2026-43303

Published: Mag 08, 2026 Last Modified: Mag 08, 2026

ExploitDB:

Other exploit source:

Google Dorks:

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

mm/page_alloc: clear page->private in free_pages_prepare()

Several subsystems (slub, shmem, ttm, etc.) use page->private but don't
clear it before freeing pages. When these pages are later allocated as
high-order pages and split via split_page(), tail pages retain stale
page->private values.

This causes a use-after-free in the swap subsystem. The swap code uses
page->private to track swap count continuations, assuming freshly
allocated pages have page->private == 0. When stale values are present,
swap_count_continued() incorrectly assumes the continuation list is valid
and iterates over uninitialized page->lru containing LIST_POISON values,
causing a crash:

KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]
RIP: 0010:__do_sys_swapoff+0x1151/0x1860

Fix this by clearing page->private in free_pages_prepare(), ensuring all
freed pages have clean state regardless of previous use.

https://git.kernel.org/stable/c/23b82b7a26182ad840ae67d390d…

https://git.kernel.org/stable/c/23b82b7a26182ad840ae67d390d7ec9771e8c00f

https://git.kernel.org/stable/c/ac1ea219590c09572ed5992dc23…

https://git.kernel.org/stable/c/ac1ea219590c09572ed5992dc233bbf7bb70fef9

https://git.kernel.org/stable/c/d757c793853ec5483eb41ec2942…

https://git.kernel.org/stable/c/d757c793853ec5483eb41ec2942c300b8fa720fb

CVE-2026-43303

Description

Iscriviti alla newsletter