CVE-2026-43402 Linux CVE debrief

Who should care

Kernel maintainers, Linux distribution security teams, fleet operators running affected kernel builds, and vendors shipping kernel modules or embedded products based on the Linux kernel. Systems using affected kernel versions should treat this as urgent because the issue is kernel-memory corruption with high impact.

Technical summary

The reported flaw stems from inconsistent kthread exit handling. The pidfs rhashtable conversion reduced struct pid size, and under CONFIG_SLAB_MERGE_DEFAULT plus SLAB_HWCACHE_ALIGN, struct pid and struct kthread can share a 192-byte slab cache even though their internal fields align at the same offset. If a kthread exits via make_task_dead(), it can skip the normal kthread_exit() cleanup path, leaving affinity_node linked in kthread_affinity_list after free_kthread_struct() releases the object. Another kthread later unlinking the stale list entry can overwrite reused memory and corrupt a pid RCU callback pointer. The described fix consolidates exit handling so kthread-specific cleanup runs regardless of whether exit occurs through make_task_dead(), direct do_exit(), or kthread_exit().

Defensive priority

Critical. NVD rates the issue 9.8/10 and marks it remotely reachable in the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Kernel-level memory corruption can lead to system instability, denial of service, or broader integrity compromise, so patching should be prioritized across exposed and production systems.

Recommended defensive actions

• Apply the upstream/stable Linux kernel fixes referenced by the kernel.org patch links.
• Upgrade affected kernels to versions outside the NVD vulnerable ranges where possible.
• Track the specific kernel releases in your fleet that fall within NVD's affected CPE ranges: 6.14 through before 6.18.19, 6.19 through before 6.19.9, and 7.0-rc1/rc2.
• Rebuild and redeploy any out-of-tree kernel modules that depend on the kthread_exit/do_exit interface changes described in the fix.
• Verify production kernels after patching with normal reboot and health-check procedures, since this issue affects core kernel teardown paths.
• Prioritize systems that use kernels built with CONFIG_SLAB_MERGE_DEFAULT and SLAB_HWCACHE_ALIGN, as the description says those conditions contribute to the vulnerable memory layout.

Evidence notes

Primary evidence comes from the CVE record and NVD metadata supplied in the source corpus. The description states that the bug is a kthread exit-path use-after-free caused by missed affinity-node cleanup, with corruption possible when a stale list node is later removed. NVD marks the issue CVSS 3.1 9.8 Critical, CWE-416, and maps affected Linux kernel versions to 6.14-6.18.18, 6.19-6.19.8, and 7.0-rc1/rc2 via CPE criteria. Three official kernel.org references are provided as patch links.

Official resources