CVE-2026-43409 Linux CVE debrief

Who should care

Linux kernel maintainers, distribution security teams, and operators running systems that use kprobes, ftrace, or loadable kernel modules. This is especially relevant for environments where local users or administrators can trigger module load/unload activity.

Technical summary

The supplied vulnerability description says that after ftrace is killed by some errors, removing modules that contain kprobe probes can trigger a page fault in kprobes_module_callback(). The root cause is that kprobe-on-ftrace logic does not correctly handle the kprobe_ftrace_disabled flag set by ftrace_kill(). According to the NVD record, the weakness is CWE-476 (NULL Pointer Dereference), and the observable impact is a kernel crash rather than confidentiality or integrity loss. NVD’s affected-version ranges indicate exposure across multiple Linux kernel branches, including versions before 6.6.130, 6.12.78, 6.18.19, and 6.19.9, as well as 7.0 release candidates rc1 through rc3.

Defensive priority

High for availability protection on affected kernels, but not an emergency for remote-exploitation response. The issue is locally reachable and primarily causes denial of service, so prioritize it for systems where local users can load/unload modules or where kernel crash resilience is critical.

Recommended defensive actions

• Apply the upstream Linux kernel fixes referenced by the official stable commit links in the NVD record.
• Upgrade to a kernel version outside the vulnerable ranges listed by NVD for your release line.
• If immediate patching is not possible, reduce exposure to local module load/unload activity and review whether kprobes and ftrace are needed in the affected environment.
• Monitor kernel crash logs for kprobes_module_callback() faults or repeated module unload-related panics until patched.
• Track vendor backports carefully, because affected and fixed versions may differ by distribution even when the upstream NVD ranges are known.

Evidence notes

The debrief is based only on the supplied CVE/NVD corpus. The vulnerability description explicitly states that the crash occurs after ftrace is killed and a module containing kprobe probes is removed, and that the fix is to check kprobe_ftrace_disabled in __disarm_kprobe_ftrace(). NVD marks the record as analyzed, assigns CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, and lists CWE-476. The supplied NVD references include five official kernel.org stable patch links, which are the only remediation sources used here.

Official resources