PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43303 Git CVE debrief

CVE-2026-43303 is a Linux kernel memory-management flaw in how freed pages are reset before reuse. According to the published fix description, some subsystems may leave page->private set when pages are freed; if those pages are later reallocated as higher-order pages and split, tail pages can retain stale page->private data. The swap subsystem assumes a newly allocated page has page->private == 0, so the stale value can make swap_count_continued() follow an invalid continuation path and walk poisoned list pointers, leading to a crash and a use-after-free condition. The public record rates this as high severity (CVSS 7.8) with local attack conditions.

Vendor
Git
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-11
Advisory published
2026-05-08
Advisory updated
2026-05-11

Who should care

Kernel maintainers, Linux distribution security teams, platform operators, and anyone running systems that rely on the affected Linux memory-management and swap paths should prioritize this issue. It is especially relevant for environments where local users or privileged-but-not-root processes can interact with the kernel over time, since the CVSS vector indicates local access and low privileges.

Technical summary

The issue is caused by stale page->private state persisting across page reuse. The report states that subsystems such as slub, shmem, and ttm may use page->private without clearing it before freeing pages. When such a page is later allocated as a high-order page and split by split_page(), tail pages may inherit the old page->private value. Swap code relies on page->private being zero on fresh allocation; when that assumption is broken, swap_count_continued() can misinterpret the page as having a valid continuation list and traverse uninitialized page->lru data containing LIST_POISON values. The published fix clears page->private in free_pages_prepare() so freed pages return to a clean state before reuse.

Defensive priority

High. The issue is memory-corruption-adjacent, can crash the kernel, and has a local low-privilege CVSS profile. Even if exploitation is not demonstrated in the supplied corpus, kernel crashes and UAF conditions warrant prompt patching and distribution backporting.

Recommended defensive actions

  • Apply the kernel fix that clears page->private in free_pages_prepare() using the referenced upstream/stable commits.
  • Backport the fix into supported distribution kernels and rebuild affected kernel packages.
  • Prioritize testing on systems with active swap usage and workloads that exercise slub, shmem, or ttm page reuse patterns.
  • Monitor for kernel crashes or KASAN reports involving __do_sys_swapoff, swap_count_continued(), or LIST_POISON-related traces.
  • Verify that any downstream kernel trees or vendor branches include the same cleanup change before release.

Evidence notes

All conclusions are drawn from the supplied CVE description and the referenced official kernel commit links. The CVE record shows CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and a published date of 2026-05-08T14:16:37.583Z, with modification on 2026-05-11T08:16:08.800Z. The corpus does not provide an affected-version range, exploit proof, or KEV listing, so those details are not asserted here.

Official resources

Publicly disclosed in the CVE record on 2026-05-08 and updated on 2026-05-11. No KEV entry is indicated in the supplied corpus.