Use of uninitialized resource in Linux kernel - CVE-2026-43036
Published: May 2, 2026
Vulnerability identifier: #VU128877
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-43036
CWE-ID: CWE-908
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper handling of packet header data in gso_features_check() when processing packets injected through PF_PACKET paths. A local attacker can inject a specially crafted packet to cause a denial of service.
The issue occurs because the IPv4 header access may rely on skb header offsets that are not always safe for direct dereference in this context.
How to mitigate CVE-2026-43036
Install security update from vendor's repository.