Race condition in Linux kernel - CVE-2026-43389
Published: May 8, 2026
Vulnerability identifier: #VU130790
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-43389
CWE-ID: CWE-362
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a loss of user data.
The vulnerability exists due to improper state synchronization in memfd_luo folio dirty-state handling when preserving and retrieving serialized folios. A local user can preserve a memfd file whose folios are modified after preservation to cause a loss of user data.
The issue occurs because folios recorded as clean can later become dirty before retrieval, and the restored kernel may reclaim them under memory pressure.
How to mitigate CVE-2026-43389
Install security update from vendor's repository.