CVE-2026-43383 Git CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators of systems that use TCP-MD5-protected network services should prioritize this advisory, especially where the kernel is exposed to untrusted network traffic.

Technical summary

The vulnerability is described as an incorrect MAC comparison in the Linux kernel's tcp-md5 code path. Because MAC checks must not reveal information via execution-time differences, the fix uses a constant-time helper for comparison. The supplied NVD record lists CVSS v3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H, indicating network exposure and potential impact if the timing weakness is exploitable.

Defensive priority

Critical

Recommended defensive actions

• Apply the Linux kernel update or vendor backport that includes the constant-time MAC comparison fix.
• Prioritize patching systems that expose TCP-MD5-protected services to untrusted or internet-facing networks.
• Review vendor advisories and kernel package changelogs for backported fixes matching the referenced stable kernel commits.
• Validate that affected hosts are running a kernel build that includes the tcp-md5 timing fix.
• Continue standard network monitoring, but do not assume mitigations other than patching fully remove timing-side-channel exposure.

Evidence notes

This debrief is based on the supplied NVD record and the included kernel stable reference links. The corpus states only that the Linux kernel net/tcp-md5 MAC comparison was changed to constant-time to prevent timing attacks. I did not fetch or inspect the linked commit contents, so version ranges, exploitability details, and affected deployment specifics are not asserted here. Published: 2026-05-08T15:16:49.593Z; modified: 2026-05-11T08:16:12.450Z.

Official resources