CVE-2026-43374

Published: Mag 08, 2026 Last Modified: Mag 08, 2026

ExploitDB:

Other exploit source:

Google Dorks:

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

net: nexthop: fix percpu use-after-free in remove_nh_grp_entry

When removing a nexthop from a group, remove_nh_grp_entry() publishes
the new group via rcu_assign_pointer() then immediately frees the
removed entry's percpu stats with free_percpu(). However, the
synchronize_net() grace period in the caller remove_nexthop_from_groups()
runs after the free. RCU readers that entered before the publish still
see the old group and can dereference the freed stats via
nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a
use-after-free on percpu memory.

Fix by deferring the free_percpu() until after synchronize_net() in the
caller. Removed entries are chained via nh_list onto a local deferred
free list. After the grace period completes and all RCU readers have
finished, the percpu stats are safely freed.

https://git.kernel.org/stable/c/9e08ad731862b22a87cc55f752e…

https://git.kernel.org/stable/c/9e08ad731862b22a87cc55f752e16d66cdc9e231

https://git.kernel.org/stable/c/ab5ebab9664214ba41a7633cb4e…

https://git.kernel.org/stable/c/ab5ebab9664214ba41a7633cb4e72f128204f924

https://git.kernel.org/stable/c/abf4feaee6405f1441929c6ebe7…

https://git.kernel.org/stable/c/abf4feaee6405f1441929c6ebe7a250f2cd170a7

https://git.kernel.org/stable/c/b2662e7593e94ae09b1cf7ee5f0…

https://git.kernel.org/stable/c/b2662e7593e94ae09b1cf7ee5f09160a3612bcb2

CVE-2026-43374

Description

Iscriviti alla newsletter