PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43074 Linux CVE debrief

CVE-2026-43074 is a Linux kernel eventpoll use-after-free in ep_free() where struct eventpoll can be freed while another concurrent thread is still using it. The fix defers the kfree() to an RCU callback to avoid the race. NVD rates the issue HIGH with CVSS 7.8.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-06
Original CVE updated
2026-05-20
Advisory published
2026-05-06
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distro security teams, embedded/device OEMs, and operators of systems that allow local user workloads should prioritize this advisory. Because the CVSS vector is local and requires low privileges, multi-user servers, container hosts, and developer workstations may be more exposed to practical abuse than single-user appliances.

Technical summary

The vulnerability is a race in eventpoll.c: ep_free() could kfree the epi->ep eventpoll structure before all concurrent readers were finished with it, creating a use-after-free condition. The published fix changes cleanup to an RCU-deferred free so the memory is not released until after an RCU grace period. NVD maps the issue to CWE-401 and assigns CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Affected version ranges in NVD include Linux kernel 6.4.1 through before 6.6.136, 6.7 through before 6.12.83, 6.13 through before 6.18.24, and 6.19 through before 6.19.14, with additional vulnerable 6.4 and 7.0-rc builds listed in the record.

Defensive priority

High. The vulnerability is local and requires low privileges, but the impact is complete confidentiality, integrity, and availability compromise per CVSS. Systems with untrusted local users, shared hosts, or containerized workloads should be patched promptly.

Recommended defensive actions

  • Apply the relevant Linux kernel stable update that includes the eventpoll RCU-free fix.
  • Verify vendor backports for your distribution or embedded kernel before assuming a version string is safe.
  • Prioritize patching multi-user systems, developer workstations, and hosts that run untrusted local workloads.
  • Confirm whether your fleet falls within the NVD-identified affected kernel version ranges and release candidates.
  • Track the linked kernel patch references for the exact backported commit applied by your vendor.

Evidence notes

This debrief is based only on the supplied NVD CVE record and the linked official kernel patch references. The vulnerability description states that ep_free() could free struct eventpoll while still in use, and that the remediation defers kfree() to an RCU callback. Timing context uses the provided CVE publishedAt (2026-05-06T10:16:20.343Z) and modifiedAt (2026-05-20T23:20:05.510Z) fields; no KEV entry was provided.

Official resources

Published in NVD on 2026-05-06 and modified on 2026-05-20; no Known Exploited Vulnerabilities (KEV) entry was provided in the corpus.