CVE-2026-43374 Git CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators of systems that use nexthop groups or other kernel networking features should prioritize this fix.

Technical summary

NVD lists CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The supplied kernel fix description says remove_nh_grp_entry() published the updated group with rcu_assign_pointer() and immediately called free_percpu(), but the synchronize_net() grace period in remove_nexthop_from_groups() ran later. The fix defers free_percpu() until after the grace period by chaining removed entries for deferred freeing, preventing RCU readers from touching freed percpu stats.

Defensive priority

High — local access is required, but the flaw affects kernel memory safety with high confidentiality, integrity, and availability impact, so patched kernels should be deployed promptly.

Recommended defensive actions

• Apply the kernel fix referenced by the supplied stable commit links and deploy the updated kernel to affected hosts.
• Prioritize systems that use nexthop groups or rely heavily on Linux networking and route-management paths.
• Schedule a reboot or maintenance window so the patched kernel is actually running.
• Verify exposure by checking whether your kernel build includes the nexthop fix associated with the referenced commits.
• Monitor for kernel warnings, crashes, or networking anomalies until remediation is complete.

Evidence notes

The supplied CVE description states that remove_nh_grp_entry() frees percpu stats before the synchronize_net() grace period completes, and that RCU readers can later reach nh_grp_entry_stats_inc()->get_cpu_ptr(nhge->stats), causing a use-after-free. The NVD metadata in the source item lists CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and references four kernel.org stable commit URLs. Timing context from the provided record shows the CVE was published on 2026-05-08 and modified on 2026-05-11. The supplied enrichment does not mark this CVE as KEV-listed.

Official resources