Race condition in Linux kernel - CVE-2026-43455
Published: May 8, 2026
Vulnerability identifier: #VU130722
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-43455
CWE-ID: CWE-362
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a resource leak.
The vulnerability exists due to a race condition in mctp_flow_prepare_output() when processing transmit path operations that access key->dev without holding key->lock. A local user can trigger concurrent operations to cause a resource leak.
How to mitigate CVE-2026-43455
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/0695712f3a6f1a48915f95767cfb42077683dcdc
- https://git.kernel.org/stable/c/47893166bc5611ee9a20de6b8d2933b2320fb772
- https://git.kernel.org/stable/c/7d86aa41c073c4e7eb75fd2e674f1fd8f289728a
- https://git.kernel.org/stable/c/86f5334fcb48a5b611c33364ab52ca684d0f6d91
- https://git.kernel.org/stable/c/8d27d9b260dd19c1b519e1a13de6448f9984e30e
- https://git.kernel.org/stable/c/925a5ffd99cddd7a7e41d5ad120c7a2c6d50260f