CVE-2026-43198
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk22th percentile — higher than 22% of all known CVEs
Summary
A race condition vulnerability was found in the Linux kernel's tcp_v6_syn_recv_sock() function. After calling tcp_v4_syn_recv_sock(), the child socket becomes visible in the TCP ehash table, but the pinet6 pointer still points to the listener's ipv6_pinfo, which can cause incorrect behavior.
Risk Assessment
An attacker could exploit this race to access incorrect IPv6 socket structure data from the listening socket, potentially leading to data integrity issues or system crashes.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit moving code to tcp_v6_mapped_child_init()). Monitor official security advisories from your distribution.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: tcp: fix potential race in tcp_v6_syn_recv_sock() Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock() is done too late. After tcp_v4_syn_recv_sock(), the child socket is already visible from TCP ehash table and other cpus might use it. Since newinet->pinet6 is still pointing to the listener ipv6_pinfo bad things can happen as syzbot found. Move the problematic code in tcp_v6_mapped_child_init() and call this new helper from tcp_v4_syn_recv_sock() before the ehash insertion. This allows the removal of one tcp_sync_mss(), since tcp_v4_syn_recv_sock() will call it with the correct context.

