CRITICAL🇵🇱 Wersja polska

CVE-2026-43011

CVSS 9.8v3.1pub. 2026-05-01upd. 2026-05-07

In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix potential double free of skb When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at line 48 and returns 1 (error). This error propagates back through the call chain: x25_queue_rx_frame returns 1 | v x25_state3_machine receives the return value 1 and takes the else branch at line 278, setting queued=0 and returning 0 | v x25_process_rx_frame returns queued=0 | v x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb) again This would free the same skb twice. Looking at x25_backlog_rcv: net/x25/x25_in.c:x25_backlog_rcv() { ... queued = x25_process_rx_frame(sk, skb); ... if (!queued) kfree_skb(skb); }

🤖 AI Analysis
How it works

When the alloc_skb function cannot allocate memory in x25_queue_rx_frame, it frees the skb buffer by calling kfree_skb and returns an error code. The error code propagates through the call chain: x25_state3_machine, x25_process_rx_frame, until x25_backlog_rcv, which upon seeing the returned value queued=0 calls kfree_skb on the same buffer a second time. The result is a classic double free error causing corruption of the internal structures of the kernel memory allocator.

Impact

An attacker can cause kernel memory corruption, which in practice can result in privilege escalation, arbitrary code execution (RCE), or system failure (kernel panic / DoS).

Mitigation & patch

Patches available in the Linux kernel stable repository should be applied, as indicated in the references (commits: 143d4fa68ae9, 3f5e3005984645, 524371398d84, 5d0aa038a90b, c87dd137c0da). It is recommended to update to a kernel version containing these fixes according to your system distribution.

Who is affected

Linux kernel versions containing vulnerable net/x25 subsystem code — exact versions indicated in the manufacturer's references (commits on stable kernel.org).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Linux Kernel

    OS
    Linux
    2.6.127.05.16 – 6.1.168 (bez)6.2 – 6.6.134 (bez)2.6.12.1 – 5.10.253 (bez)6.13 – 6.18.22 (bez)6.19 – 6.19.12 (bez)6.7 – 6.12.81 (bez)5.11 – 5.15.203 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2022-47986CRITICAL9.8⚠ KEVten sam produkt

IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on t...

CVE-2022-22954CRITICAL9.8⚠ KEVten sam produkt

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-s...

CVE-2020-4006CRITICAL9.1⚠ KEVten sam produkt

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a...