CVE-2026-43455 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators running kernels that include MCTP support, especially on systems where local users can reach the affected transmit path.

Technical summary

mctp_flow_prepare_output() checks key->dev and may call mctp_dev_set_key() without holding key->lock, even though the related key management functions are annotated as requiring that lock. In the mctp_sendmsg() transmit path, two concurrent callers can both observe key->dev as NULL and each acquire a device reference, but only the final assignment is tracked for release. The result is a lost reference on one device and a resource leak, which primarily impacts availability.

Defensive priority

Medium priority. The flaw requires local access and low privileges, but it can cause a kernel resource leak and availability degradation in affected systems.

Recommended defensive actions

• Apply the Linux stable fixes referenced in the official kernel patch links.
• Verify whether your deployed kernel falls within the affected ranges listed by NVD and plan updates accordingly.
• Prioritize patching systems that use MCTP functionality or expose it to untrusted local users.
• Monitor for kernel resource exhaustion or unusual device reference growth while remediation is in progress.

Evidence notes

This debrief is based on the supplied NVD CVE record, the CVE timing fields, and the official Linux kernel patch references. The vulnerability description states the race occurs in mctp_flow_prepare_output() when key->dev is checked and set without holding key->lock, and that the consequence is a leaked device reference leading to a resource leak. NVD classifies the issue as CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and marks affected Linux kernel ranges across multiple stable branches. The record was published on 2026-05-08 and modified on 2026-05-20.

Official resources