PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43438 Linux CVE debrief

CVE-2026-43438 is a Linux kernel sched_ext vulnerability caused by an unbalanced css_put() in scx_cgroup_init(). In the error path, the code could drop a reference that was never acquired, underflowing the cgroup subsystem’s refcount and creating a potential use-after-free condition. NVD rates the issue HIGH (CVSS 7.8) and maps it to CWE-416.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-21
Advisory published
2026-05-08
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distribution security teams, and operators running kernels in the affected version ranges—especially systems that enable or rely on sched_ext/cgroup functionality. Because the CVSS vector is local and requires low privileges, multi-user systems should treat this as a meaningful local-security fix.

Technical summary

The supplied kernel description says css_for_each_descendant_pre() iterates cgroup descendants under cgroup_lock() without incrementing css reference counts. The bug was that scx_cgroup_init() called css_put() in its error path even though no css_get() or css_tryget_online() had been used to obtain a reference. That imbalance can underflow the css refcount and may free an object still in use, which is the basis for the potential UAF. NVD lists CWE-416 and includes patch references that remove the redundant css_put().

Defensive priority

High. This is a local vulnerability with low privileges and high CIA impact in the CVSS vector. Patch quickly on exposed or multi-user Linux systems, and prioritize any environment that ships kernels in the affected ranges or backports sched_ext changes.

Recommended defensive actions

  • Update to a kernel build that includes the upstream fix removing the redundant css_put() in scx_cgroup_init().
  • Verify whether your distribution kernel backports one of the linked patches rather than relying only on the upstream version number.
  • Audit deployed kernel versions against the NVD affected ranges: 6.12 before 6.12.78, 6.13 before 6.18.19, 6.19 before 6.19.9, and 7.0-rc1/rc2.
  • If you maintain a custom kernel, confirm the fix is present in your local sched_ext/cgroup tree and not just in a release tag.
  • Track kernel advisory and package update status for fleet hosts, especially systems with untrusted local users.

Evidence notes

The CVE record and NVD detail identify Linux kernel as the affected vendor/product and cite CWE-416. The NVD references include four official kernel.org patch links. The supplied vulnerability description explicitly states that css_for_each_descendant_pre() does not increment css references and that the error-path css_put() in scx_cgroup_init() was removed to prevent refcount underflow and potential UAF. No KEV entry is present in the supplied corpus.

Official resources

Publicly disclosed in the CVE record on 2026-05-08; the supplied NVD entry was last modified on 2026-05-21. Official patch references were available in the supplied corpus.