CVE-2026-43091 Linux CVE debrief

Who should care

System administrators running Linux kernels with IPsec/XFRM and network namespaces; container platform operators; VPN infrastructure teams; security teams tracking kernel privilege escalation vectors

Technical summary

The vulnerability is a use-after-free in net/xfrm/xfrm_policy.c during network namespace teardown. The policy_bydst hash tables are RCU-protected but xfrm_policy_fini() freed them without calling synchronize_rcu(), allowing concurrent RCU readers to access freed memory. The fix adds synchronize_rcu() before kfree(table) calls. Affected versions span 4.9 through 6.19.14 and 7.0-rc1 through 7.0-rc7. CVSS 3.1 score 7.8 (HIGH) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates local attack vector with high impact on confidentiality, integrity, and availability.

Defensive priority

HIGH

Recommended defensive actions

• Apply kernel patches from stable branches: 6.6.136+, 6.12.83+, 6.18.24+, 6.19.14+, or 7.0-rc8+ when available
• If immediate patching is not possible, avoid frequent network namespace creation/destruction cycles that trigger xfrm_policy_fini()
• Monitor for kernel updates from distribution vendors for backported fixes
• Review systems using IPsec/XFRM with network namespaces (containers, VPNs) for abnormal behavior
• Validate kernel version through uname -r and compare against fixed versions in CPE criteria

Evidence notes

The vulnerability description is sourced from the official CVE record published 2026-05-06 and modified 2026-05-19. The fix involves adding synchronize_rcu() to properly wait for RCU grace periods during xfrm policy netns exit. Multiple stable kernel patches have been released across affected branches.

Official resources