PatchSiren cyber security CVE debrief

CVE-2026-43328 Linux CVE debrief

CVE-2026-43328 is a Linux kernel double-free flaw in cpufreq governor initialization. The bug occurs on an error path after kobject_init_and_add(), where cleanup can be performed twice through cpufreq_dbs_data_release() and the surrounding failure handling. NVD rates the issue high severity (CVSS 7.8) and lists multiple affected kernel version ranges.

Vendor: Linux
Product: Unknown
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-08
Original CVE updated: 2026-05-18
Advisory published: 2026-05-08
Advisory updated: 2026-05-18

Who should care

Linux distribution maintainers, kernel package owners, embedded device vendors, and operators of systems that allow local users to run code on affected kernels should prioritize this advisory.

Technical summary

According to the CVE description, cpufreq_dbs_governor_init() may call kobject_put(&dbs_data->attr_set.kobj) after kobject_init_and_add() fails. The kobject release callback cpufreq_dbs_data_release() already invokes gov->exit(dbs_data) and kfree(dbs_data), but the existing error path then calls gov->exit(dbs_data) and kfree(dbs_data) again. This creates a double free (CWE-415). NVD’s CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access and low privileges are required.

Defensive priority

High. This is a kernel memory-management flaw with high CVSS impact and local attack requirements. Systems that expose local login, container, or multi-tenant execution on affected kernel branches should be patched promptly.

Recommended defensive actions

Apply the vendor or stable kernel patches referenced by NVD for CVE-2026-43328.
Upgrade to a kernel release outside the affected ranges listed by NVD for your branch.
Prioritize patching systems where untrusted local users, tenants, or workloads can execute code.
If immediate patching is not possible, reduce local code execution exposure and monitor for kernel instability or unexpected reboots.
Track downstream vendor advisories for backported fixes on your distribution’s kernel line.

Evidence notes

This debrief is based on the CVE description and NVD metadata provided in the source corpus. The issue is identified as CWE-415 (double free). NVD marks the vulnerability as analyzed and supplies patch references in kernel.org stable commit links. NVD lists affected Linux kernel ranges across multiple branches, including 5.2 through before 5.10.253, 5.11 through before 6.1.168, 6.2 through before 6.6.134, 6.7 through before 6.12.81, 6.13 through before 6.18.22, and 6.19 through before 6.19.12, plus specific release candidates noted in the record.

Official resources

CVE-2026-43328 CVE record
CVE.org
CVE-2026-43328 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch

Published in the source corpus on 2026-05-08T14:16:42.397Z and last modified on 2026-05-18T12:43:45.277Z. NVD later added analyzed status, affected-version criteria, and kernel.org patch references.