PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43296 Git CVE debrief

CVE-2026-43296 is a Linux kernel availability issue in octeontx2-af on OcteonTX2-related networking paths. The published workaround disables SQM sticky operation, blocks a sticky-to-non-sticky transition that can deadlock PSE, and keeps a control-flow clock enabled to prevent credit drops. On affected systems, the bug can surface as transmit stalls, deadlock-like behavior, or loss of forward progress under concurrent load.

Vendor
Git
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-11
Advisory published
2026-05-08
Advisory updated
2026-05-11

Who should care

Kernel maintainers, distro security teams, and operators running Linux systems with octeontx2-af support or OcteonTX2 networking hardware. It is most relevant where multiple SQs share an SMQ and transmit concurrently, especially in production environments that depend on continuous network availability.

Technical summary

The CVE description says NIX SQ manager sticky mode can stall when multiple SQs share an SMQ and transmit concurrently. It also notes a PSE deadlock risk during transitions between sticky and non-sticky transmissions, plus observed credit drops when certain condition clocks are gated. The workaround changes NIX_AF_SQM_DBG_CTL_STATUS to clear TM6 and TM11, clear TM5, and set TM9. In practical terms, the fix sacrifices sticky optimizations to preserve forward progress and avoid credit loss.

Defensive priority

High for affected kernels and hardware because the impact is availability-focused but can halt or degrade network traffic handling under load. Prioritize if the system uses OcteonTX2 networking paths in latency-sensitive or high-throughput environments.

Recommended defensive actions

  • Apply the Linux kernel update that includes the octeontx2-af workaround for CVE-2026-43296.
  • If you maintain downstream kernels, backport the documented SQM debug-control changes carefully and validate that TM6, TM11, and TM5 are cleared and TM9 is set as described in the fix.
  • Test affected systems under realistic concurrent transmit load after patching to confirm SQM/PSE forward progress and absence of credit drops.
  • Monitor for transmit stalls, queue progress issues, or other availability symptoms on systems using the affected hardware path.
  • Track vendor and distribution advisories for any additional guidance on the OcteonTX2 workaround and rollout order.

Evidence notes

The CVE was published on 2026-05-08 and last modified on 2026-05-11 per the supplied timeline. The vulnerability description and the referenced stable kernel links indicate the issue is a hardware-errata workaround in octeontx2-af, with the mitigation applied through NIX_AF_SQM_DBG_CTL_STATUS. The CVSS vector provided is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, supporting a high-availability-risk assessment. No exploit details are included here; this debrief is based only on the supplied CVE text, timeline, and official reference links.

Official resources

Public CVE published by the official sources on 2026-05-08; this debrief relies only on the supplied CVE record, timeline, and official reference links.