CVE Catalog

CVE-2026-43198

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile — higher than 22% of all known CVEs

Summary

A race condition vulnerability was found in the Linux kernel's tcp_v6_syn_recv_sock() function. After calling tcp_v4_syn_recv_sock(), the child socket becomes visible in the TCP ehash table, but the pinet6 pointer still points to the listener's ipv6_pinfo, which can cause incorrect behavior.

Risk Assessment

An attacker could exploit this race to access incorrect IPv6 socket structure data from the listening socket, potentially leading to data integrity issues or system crashes.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit moving code to tcp_v6_mapped_child_init()). Monitor official security advisories from your distribution.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: tcp: fix potential race in tcp_v6_syn_recv_sock() Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock() is done too late. After tcp_v4_syn_recv_sock(), the child socket is already visible from TCP ehash table and other cpus might use it. Since newinet->pinet6 is still pointing to the listener ipv6_pinfo bad things can happen as syzbot found. Move the problematic code in tcp_v6_mapped_child_init() and call this new helper from tcp_v4_syn_recv_sock() before the ehash insertion. This allows the removal of one tcp_sync_mss(), since tcp_v4_syn_recv_sock() will call it with the correct context.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS