CVE-2026-43383

Description

In the Linux kernel, the following vulnerability has been resolved: net/tcp-md5: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this.

CVSS Details

CVSS Score

9.4

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel (Stable kernels prior to commit 02669e2a4d207068edce7e8b5fafd85822018ce6)

Linux Kernel (Mainline kernel prior to patch)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC Concept for CVE-2026-43383
 * This demonstrates the vulnerable logic vs the fix.
 * Actual exploitation requires high-precision timing over the network.
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

// Simulated MAC length
#define MAC_LEN 16

// Vulnerable implementation (using memcmp)
int vulnerable_mac_compare(const unsigned char *a, const unsigned char *b) {
    // memcmp returns 0 on match, non-zero on mismatch.
    // It exits early on the first mismatch, leaking timing info.
    return memcmp(a, b, MAC_LEN) == 0;
}

// Secure implementation (Constant-time compare)
int secure_mac_compare(const unsigned char *a, const unsigned char *b) {
    unsigned int result = 0;
    for (int i = 0; i < MAC_LEN; i++) {
        result |= a[i] ^ b[i];
    }
    // result is 0 only if all bytes match
    return result == 0;
}

int main() {
    unsigned char correct_mac[MAC_LEN] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
                                          0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10};
    unsigned char guess_mac[MAC_LEN]    = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};

    printf("Testing Vulnerable Compare:\n");
    // In a real attack, an attacker measures the time taken here.
    // If it returns very fast, the first byte was wrong.
    if (vulnerable_mac_compare(correct_mac, guess_mac)) {
        printf("MAC Match!\n");
    } else {
        printf("MAC Mismatch.\n");
    }

    printf("\nTesting Secure Compare:\n");
    // This function always takes the same amount of time,
    // regardless of where the mismatch occurs.
    if (secure_mac_compare(correct_mac, guess_mac)) {
        printf("MAC Match!\n");
    } else {
        printf("MAC Mismatch.\n");
    }

    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43383
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43383
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43383/
[4] VulDB https://vuldb.com/cve/CVE-2026-43383
[5] https://git.kernel.org/stable/c/02669e2a4d207068edce7e8b5fafd85822018ce6
[6] https://git.kernel.org/stable/c/345a9530756528d7ca407663d659c3c40e75c3dd
[7] https://git.kernel.org/stable/c/46d0d6f50dab706637f4c18a470aac20a21900d3
[8] https://git.kernel.org/stable/c/5d305a95130a8d08b9545e47f1e18d29d59866cb
[9] https://git.kernel.org/stable/c/821c8751fdeecdeecabeb11704dd33439c9e4bbc
[10] https://git.kernel.org/stable/c/ae3831b44f477de048287493e184fc3ff913b624
[11] https://git.kernel.org/stable/c/b502e97e29d791ff7a8051f29a414535739be218

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43383", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:49.593", "lastModified": "2026-05-11T08:16:12.450", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tcp-md5: Fix MAC comparison to be constant-time\n\nTo prevent timing attacks, MACs need to be compared in constant\ntime.  Use the appropriate helper function for this."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.5}]}, "references": [{"url": "https://git.kernel.org/stable/c/02669e2a4d207068edce7e8b5fafd85822018ce6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/345a9530756528d7ca407663d659c3c40e75c3dd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/46d0d6f50dab706637f4c18a470aac20a21900d3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5d305a95130a8d08b9545e47f1e18d29d59866cb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/821c8751fdeecdeecabeb11704dd33439c9e4bbc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ae3831b44f477de048287493e184fc3ff913b624", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b502e97e29d791ff7a8051f29a414535739be218", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}