CVE-2026-43374

// PoC Concept for CVE-2026-43374 // Triggering race condition in nexthop group removal #include <unistd.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #include <sys/socket.h> #include <linux/netlink.h> #include <linux/rtnetlink.h> void setup_nexthop_group(int sock_fd) { // Implementation to create a nexthop group // This involves sending NETLINK_ROUTE messages to add nexthops printf("[*] Setting up vulnerable nexthop group...\n"); } void trigger_remove_race(int sock_fd) { // Implementation to remove entry, triggering remove_nh_grp_entry printf("[*] Triggering removal to exploit UAF...\n"); // In a real exploit, precise timing is needed to hit the window // between free_percpu() and synchronize_net() } int main() { int sock_fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock_fd < 0) { perror("socket"); return 1; } setup_nexthop_group(sock_fd); // Loop to increase chances of hitting the race condition for(int i = 0; i < 1000; i++) { trigger_remove_race(sock_fd); } close(sock_fd); return 0; }

{"cve": {"id": "CVE-2026-43374", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:48.547", "lastModified": "2026-05-11T08:16:11.970", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nexthop: fix percpu use-after-free in remove_nh_grp_entry\n\nWhen removing a nexthop from a group, remove_nh_grp_entry() publishes\nthe new group via rcu_assign_pointer() then immediately frees the\nremoved entry's percpu stats with free_percpu(). However, the\nsynchronize_net() grace period in the caller remove_nexthop_from_groups()\nruns after the free. RCU readers that entered before the publish still\nsee the old group and can dereference the freed stats via\nnh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a\nuse-after-free on percpu memory.\n\nFix by deferring the free_percpu() until after synchronize_net() in the\ncaller. Removed entries are chained via nh_list onto a local deferred\nfree list. After the grace period completes and all RCU readers have\nfinished, the percpu stats are safely freed."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/9e08ad731862b22a87cc55f752e16d66cdc9e231", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ab5ebab9664214ba41a7633cb4e72f128204f924", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/abf4feaee6405f1441929c6ebe7a250f2cd170a7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b2662e7593e94ae09b1cf7ee5f09160a3612bcb2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}