Improper Initialization in Linux kernel - CVE-2026-43489
Published: May 14, 2026
Vulnerability identifier: #VU131426
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-43489
CWE-ID: CWE-665
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in liveupdate luo_file handling when processing repeated LIVEUPDATE_SESSION_RETRIEVE_FD ioctl requests after a failed retrieve attempt. A local user can trigger a failed retrieve and retry the ioctl to cause a denial of service.
The issue can also affect session cleanup because finish() may act on serialization data structures that were already partially restored, freed, or left in an unexpected state.
How to mitigate CVE-2026-43489
Install security update from vendor's repository.