CVE Catalog

CVE-2026-43402

Critical
Published: Translated: NVD NIST

Summary

A vulnerability has been identified in the Linux kernel related to improper management of kthread exit paths, leading to a use-after-free issue. The problem was reported during KUnit testing, where crashes occurred due to corrupted RCU callback function pointers.

Risk Assessment

This vulnerability may lead to system crashes and potential exploitation by malicious software, posing a threat to the stability and security of the operating system.

Recommendation

It is recommended to update the Linux kernel to the latest version where this vulnerability has been patched to minimize the risk associated with its exploitation.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: kthread: consolidate kthread exit paths to prevent use-after-free Guillaume reported crashes via corrupted RCU callback function pointers during KUnit testing. The crash was traced back to the pidfs rhashtable conversion which replaced the 24-byte rb_node with an 8-byte rhash_head in struct pid, shrinking it from 160 to 144 bytes. struct kthread (without CONFIG_BLK_CGROUP) is also 144 bytes. With CONFIG_SLAB_MERGE_DEFAULT and SLAB_HWCACHE_ALIGN both round up to 192 bytes and share the same slab cache. struct pid.rcu.func and struct kthread.affinity_node both sit at offset 0x78. When a kthread exits via make_task_dead() it bypasses kthread_exit() and misses the affinity_node cleanup. free_kthread_struct() frees the memory while the node is still linked into the global kthread_affinity_list. A subsequent list_del() by another kthread writes through dangling list pointers into the freed and reused memory, corrupting t

Vulnerability data from NVD (NIST) · CISA KEV · EPSS