CVE-2026-43249

{"id": "CVE-2026-43249", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-05-06T12:16:45.493", "references": [{"url": "https://git.kernel.org/stable/c/59e7707492576bdbfa8c1dbe7d90791df31e4773", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a5d00dff97118a32fcf5fec7a4c3f864c4620c4e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bf841d43f7a33d75675ba7f4e214ac1c67913065", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ce8ded2e61f47747e31eeefb44dc24a2160a7e32", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-415"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p/xen: protect xen_9pfs_front_free against concurrent calls\n\nThe xenwatch thread can race with other back-end change notifications\nand call xen_9pfs_front_free() twice, hitting the observed general\nprotection fault due to a double-free. Guard the teardown path so only\none caller can release the front-end state at a time, preventing the\ncrash.\n\nThis is a fix for the following double-free:\n\n[ 27.052347] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI\n[ 27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted 6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none)\n[ 27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150\n[ 27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 55 48 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00 <48> 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42\n[ 27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246\n[ 27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX: 0000000000000000\n[ 27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI: 0000000000000000\n[ 27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09: 0000000000000000\n[ 27.052393] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e46b68\n[ 27.052397] R13: 0000000000000200 R14: 0000000000000000 R15: ffff88800a887040\n[ 27.052404] FS: 0000000000000000(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000\n[ 27.052408] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4: 0000000000050660\n[ 27.052418] Call Trace:\n[ 27.052420] <TASK>\n[ 27.052422] xen_9pfs_front_changed+0x5d5/0x720\n[ 27.052426] ? xenbus_otherend_changed+0x72/0x140\n[ 27.052430] ? __pfx_xenwatch_thread+0x10/0x10\n[ 27.052434] xenwatch_thread+0x94/0x1c0\n[ 27.052438] ? __pfx_autoremove_wake_function+0x10/0x10\n[ 27.052442] kthread+0xf8/0x240\n[ 27.052445] ? __pfx_kthread+0x10/0x10\n[ 27.052449] ? __pfx_kthread+0x10/0x10\n[ 27.052452] ret_from_fork+0x16b/0x1a0\n[ 27.052456] ? __pfx_kthread+0x10/0x10\n[ 27.052459] ret_from_fork_asm+0x1a/0x30\n[ 27.052463] </TASK>\n[ 27.052465] Modules linked in:\n[ 27.052471] ---[ end trace 0000000000000000 ]---"}], "lastModified": "2026-05-11T13:10:20.973", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9E08C858-E25B-40F9-B5B6-344EFFDB2285", "versionEndExcluding": "6.12.75", "versionStartIncluding": "4.14.308"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B", "versionEndExcluding": "6.18.16", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67", "versionEndExcluding": "6.19.6", "versionStartIncluding": "6.19"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}