Description
In the Linux kernel, the following vulnerability has been resolved:

net/x25: Fix potential double free of skb

When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at
line 48 and returns 1 (error).
This error propagates back through the call chain:

x25_queue_rx_frame returns 1
|
v
x25_state3_machine receives the return value 1 and takes the else
branch at line 278, setting queued=0 and returning 0
|
v
x25_process_rx_frame returns queued=0
|
v
x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb)
again

This would free the same skb twice. Looking at x25_backlog_rcv:

net/x25/x25_in.c:x25_backlog_rcv() {
...
queued = x25_process_rx_frame(sk, skb);
...
if (!queued)
kfree_skb(skb);
}
Published: 2026-05-01
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in the Linux kernel's X.25 networking stack where a failure to allocate a socket buffer (skb) can trigger a double free. The kernel first frees the skb on allocation failure, then returns an error code that causes higher‑level functions to also free the same skb. This is a double‑free vulnerability (CWE-1341, CWE-415) that can corrupt kernel memory and lead to kernel crashes or potential privilege escalation. The likely attack vector is a crafted X.25 packet that forces a skb allocation failure, triggering the double‑free path.

Affected Systems

Linux kernel users are affected. The fixed code resides in the source path net/x25/x25_in.c; any system running a kernel version prior to the patch that includes this X.25 driver is at risk. The precise versions are not listed, but all distributions shipping kernels without this fix are vulnerable when the X.25 protocol is enabled. The kernel version must be updated to the patched release that incorporates the double‑free fix.

Risk and Exploitability

The CVSS score is 9.8, indicating a critical severity. The EPSS score is <1%, implying a low probability of exploitation at present. Nevertheless, because the flaw permits kernel memory corruption, the potential impact remains high if an attacker can reach the vulnerable code. No published exploit is known at the time of this analysis, which lowers the immediate exploitation likelihood. The risk remains significant for environments that enable X.25 networking and run older kernels, as a local or remote attacker with packet injection capabilities could trigger the double‑free path and achieve privilege escalation or denial of service. The KEV catalog does not list this CVE, suggesting it has not been widely exploited yet.

Generated by OpenCVE AI on May 7, 2026 at 21:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the double‑free fix in the X.25 stack.
  • If the X.25 protocol is not required, disable it in the kernel configuration or via sysctl to remove the code path that can be exploited.
  • Monitor system logs for warnings or crashes related to socket buffers or memory corruption and ensure that any kernel crash dumps are updated and analyzed promptly.

Generated by OpenCVE AI on May 7, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Thu, 07 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CPEs cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1341
References

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix potential double free of skb When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at line 48 and returns 1 (error). This error propagates back through the call chain: x25_queue_rx_frame returns 1 | v x25_state3_machine receives the return value 1 and takes the else branch at line 278, setting queued=0 and returning 0 | v x25_process_rx_frame returns queued=0 | v x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb) again This would free the same skb twice. Looking at x25_backlog_rcv: net/x25/x25_in.c:x25_backlog_rcv() { ... queued = x25_process_rx_frame(sk, skb); ... if (!queued) kfree_skb(skb); }
Title net/x25: Fix potential double free of skb
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:15:58.666Z

Reserved: 2026-05-01T14:12:55.974Z

Link: CVE-2026-43011

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:44.993

Modified: 2026-05-07T20:26:58.903

Link: CVE-2026-43011

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43011 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:45:36Z

Weaknesses