PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43339 Git CVE debrief

CVE-2026-43339 is a Linux kernel IPv6 use-after-free issue in addrconf_permanent_addr(). According to the published description, the helper tried to warn about an exceptional condition, but the warning was issued too late and accessed the ipv6 data after it may already have been deleted. The fix reorders the logic and moves the warning outside idev->lock, reducing the chance of dereferencing freed memory.

Vendor
Git
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-11
Advisory published
2026-05-08
Advisory updated
2026-05-11

Who should care

Linux kernel maintainers, distro security teams, and operators running kernels with IPv6 networking enabled should care. Systems that rely on affected kernel builds may be exposed to a local high-severity stability and security issue.

Technical summary

NVD classifies the issue as CVSS 3.1 7.8 HIGH with local attack vector, low privileges required, no user interaction, and potential high impact to confidentiality, integrity, and availability. The vulnerability is described as a possible use-after-free in the IPv6 addrconf_permanent_addr() helper: a warning path executed after the underlying ipv6 object could already have been deleted. The remediation is a control-flow reordering plus moving the warning outside the idev->lock because it does not require that protection.

Defensive priority

High. This is a kernel memory-safety flaw in core IPv6 address configuration code, so patching should be prioritized for any environment running affected Linux kernel versions.

Recommended defensive actions

  • Review the kernel.org stable references listed in the NVD record to identify the fixing commit(s) and any backported patches applicable to your kernel line.
  • Apply the vendor or distribution kernel update that contains the fix for addrconf_permanent_addr().
  • If immediate patching is not possible, accelerate testing and rollout for systems that make active use of IPv6 networking.
  • Track affected fleet kernel versions and confirm they match the fixed release stream before closing remediation.
  • Validate that your vulnerability management source set includes the CVE's 2026-05-08 publication date and 2026-05-11 modified date so timelines are interpreted correctly.

Evidence notes

All substantive claims here are drawn from the supplied CVE description and the NVD record. The description explicitly states that the issue is in the Linux kernel, involves addrconf_permanent_addr(), and is a possible use-after-free caused by a warning being emitted after a possible deletion. The NVD metadata supplies CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and lists multiple git.kernel.org stable commit references.

Official resources

Public CVE disclosure date used here is 2026-05-08T14:16:43.777Z, with a modified timestamp of 2026-05-11T08:16:10.293Z. No exploit details are included beyond the published vulnerability description.