CVE-2026-43091

HIGH

xfrm: Wait for RCU readers during policy netns exit

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: xfrm: Wait for RCU readers during policy netns exit xfrm_policy_fini() frees the policy_bydst hash tables after flushing the policy work items and deleting all policies, but it does not wait for concurrent RCU readers to leave their read-side critical sections first. The policy_bydst tables are published via rcu_assign_pointer() and are looked up through rcu_dereference_check(), so netns teardown must also wait for an RCU grace period before freeing the table memory. Fix this by adding synchronize_rcu() before freeing the policy hash tables.

Scores

CVSS v3 7.8
EPSS 0.0013
EPSS Percentile 2.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (18)
linux/Kernel 4.9.0 - 6.6.136linux
linux/Kernel 6.13.0 - 6.18.24linux
linux/Kernel 6.19.0 - 6.19.14linux
linux/Kernel 6.7.0 - 6.12.83linux
Linux/Linux < 4.9
Linux/Linux 4.9
Linux/Linux 6.12.83 - 6.12.*
Linux/Linux 6.18.24 - 6.18.*
Linux/Linux 6.19.14 - 6.19.*
Linux/Linux 6.6.136 - 6.6.*
... and 8 more
Published May 06, 2026
Tracked Since May 06, 2026