CVE-2026-43481 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and administrators running kernels that include the net-shapers netlink code should care, especially where timely kernel patching is part of the security baseline.

Technical summary

According to the kernel fix description, genlmsg_reply() passes the reply skb to netlink, and netlink_unicast() consumes it on all return paths, including error handling. In net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit(), jumping to free_msg after genlmsg_reply() fails could call nlmsg_free(msg) on an skb that had already been consumed, creating a double-free condition. The corrective change is to return the genlmsg_reply() error directly and reserve free_msg for pre-reply failures. The NVD CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

High: this is a kernel memory-corruption issue with local attack conditions and high confidentiality, integrity, and availability impact in the published CVSS vector.

Recommended defensive actions

• Apply the Linux kernel fixes referenced by the stable commit links in the source record.
• Review whether your deployed kernels include the net-shapers netlink code path described in the advisory.
• Prioritize patching on systems where local users or low-privileged processes can interact with the affected kernel interface.
• Track downstream vendor kernel advisories for package-specific backports or fixed builds.
• Validate that kernel update pipelines cover all supported branches and deployed images.

Evidence notes

The source corpus states that the vulnerability is resolved in the Linux kernel and explains the double-free mechanism in net_shapers netlink handlers. The NVD record provides the CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The supplied references point to three kernel stable commit URLs, which should be treated as the official fix evidence in this corpus. No affected version range was provided in the supplied materials.

Official resources