CVE-2026-43366 Git CVE debrief

Who should care

Linux kernel maintainers, distro security and kernel teams, and operators of systems that rely on io_uring/io-wq should review this CVE. It is a local, low-privilege issue with high CVSS impact, so multi-user and exposed server environments should prioritize patching.

Technical summary

NVD lists CVSS v3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is described as a race/gap in io_uring/kbuf legacy recycling: a buffer can be grabbed, the list can be emptied and converted to a ring-provided type before recycle, and the old recycle logic did not re-check that the target buffer_list was still present and still legacy. The fix adds those validation checks in the recycle path.

Defensive priority

High. This is a kernel-level flaw with local attack prerequisites but potentially severe confidentiality, integrity, and availability impact.

Recommended defensive actions

• Apply the Linux kernel stable or vendor updates that include the io_uring/kbuf recycle fix.
• Prioritize patching hosts that enable io_uring and may use io-wq for forced request handling.
• Verify downstream backports include the added buffer_list existence and type checks in the legacy recycle path.
• Review distro and kernel advisories for the specific release train in use before maintenance windows.
• Treat this as a high-priority local-privilege risk on shared or multi-tenant systems.

Evidence notes

This debrief is based only on the supplied CVE/NVD record and the kernel stable references listed there. The CVE description explicitly states the race window, the possible upgrade to a ring-provided type, the io-wq forcing condition, and the missing checks on recycle. The source corpus does not include exploit code, confirmed exploitation, or impacted version ranges. CVE publishedAt: 2026-05-08T15:16:47.623Z; modifiedAt: 2026-05-11T08:16:11.427Z.

Official resources