PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43078 Linux CVE debrief

CVE-2026-43078 is a high-severity Linux kernel vulnerability in the af_alg crypto subsystem. The issue was resolved by fixing an overflow in af_alg_pull_tsgl: after page reassignment was introduced, the original loop could attempt to reassign one page too many. The kernel patch adds a check to prevent the extra reassignment and updates an outdated comment. Because the CVSS vector requires local access and low privileges, the main risk is to systems where untrusted local users can interact with a vulnerable kernel.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-06
Original CVE updated
2026-05-20
Advisory published
2026-05-06
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distribution security teams, and operators of systems that allow local users or workloads to run untrusted code. This is especially relevant for multi-user servers, shared infrastructure, and any fleet tracking upstream or stable kernel releases listed as vulnerable by NVD.

Technical summary

NVD classifies the weakness as CWE-787 and rates it CVSS 3.1 7.8 HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The flaw is in af_alg_pull_tsgl, where a page reassignment path can overrun by one iteration after prior code changes. The supplied record links multiple kernel patch commits, indicating a backported fix across maintained branches. NVD marks affected ranges across many Linux kernel lines, including 4.14.1 before 5.10.254; 5.11 before 5.15.204; 5.16 before 6.1.170; 6.2 before 6.6.137; 6.7 before 6.12.85; 6.13 before 6.18.24; and 6.19 before 6.19.14, with additional criteria for 7.0 release candidates.

Defensive priority

High. The vulnerability is local-privilege-scoped, but it affects widely deployed kernel branches and is rated HIGH severity with potential for confidentiality, integrity, and availability impact. Prioritize patching systems that allow untrusted local execution.

Recommended defensive actions

  • Update affected Linux kernel systems to a fixed stable release that includes the af_alg_pull_tsgl page-reassignment fix.
  • Verify fleet exposure against the NVD vulnerable version ranges, including long-term-support and enterprise kernel backports.
  • Prioritize remediation on shared systems where untrusted local users, containers, or tenant workloads can reach the kernel attack surface.
  • Track vendor kernel advisories and backported patches for your distribution, since the public record links multiple stable-tree fixes.
  • Reboot into the patched kernel where required and confirm the running kernel version matches a non-vulnerable build.

Evidence notes

This debrief is based only on the provided CVE description, NVD metadata, and linked official references. The description states the bug is an off-by-one page reassignment issue in af_alg_pull_tsgl. NVD lists the weakness as CWE-787, assigns CVSS 3.1 7.8 HIGH, marks the record analyzed, and provides affected version criteria plus multiple kernel patch links. No exploit method, proof-of-concept, or unsupported impact claims are included.

Official resources

CVE-2026-43078 was published on 2026-05-06 and later modified on 2026-05-20 in the supplied NVD record. The record is analyzed and includes official kernel patch references.