Description
In the Linux kernel, the following vulnerability has been resolved:

mpls: add seqcount to protect the platform_label{,s} pair

The RCU-protected codepaths (mpls_forward, mpls_dump_routes) can have
an inconsistent view of platform_labels vs platform_label in case of a
concurrent resize (resize_platform_label_table, under
platform_mutex). This can lead to OOB accesses.

This patch adds a seqcount, so that we get a consistent snapshot.

Note that mpls_label_ok is also susceptible to this, so the check
against RTA_DST in rtm_to_route_config, done outside platform_mutex,
is not sufficient. This value gets passed to mpls_label_ok once more
in both mpls_route_add and mpls_route_del, so there is no issue, but
that additional check must not be removed.
Published: 2026-05-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s MPLS implementation suffered a race condition when the platform_label table was resized while a read path guarded by RCU was executing. Under these conditions the reader could observe an inconsistent view of the platform_label versus platform_labels structures, producing out‑of‑bounds memory accesses. Because the code runs in kernel space, such corruption could enable privilege escalation or denial of service. The patch introduces a seqcount guard so that read paths obtain a consistent snapshot, removing the unsafe accesses.

Affected Systems

All Linux kernel releases without the seqcount protection in the MPLS code. The vulnerability exists in builds preceding commit 5bb3caf0bbfb56f1a00d2af072ac3d8395a3b9ef and 629ec78ef8608d955ce217880cdc3e1873af3a15; any version that has not incorporated these commits is affected.

Risk and Exploitability

The CVSS score of 7.1 denotes a high‑severity vulnerability, while the EPSS score of <1% indicates a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, but it remains a high‑risk issue for systems that can be influenced by local attackers capable of sending crafted MPLS packets or manipulating routes while a resize operation is underway. Exploitation would result in kernel memory corruption, potentially granting the attacker elevated privileges or forcing a system reboot.

Generated by OpenCVE AI on May 8, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the seqcount protection in the MPLS implementation (commits 5bb3caf0bbfb56f1a00d2af072ac3d8395a3b9ef and 629ec78ef8608d955ce217880cdc3e1873af3a15).
  • If an immediate kernel upgrade is not possible, rebuild your kernel applying the upstream patches before deployment.
  • Configure firewall rules or disable MPLS processing on untrusted interfaces until the kernel is updated to prevent attackers from sending malicious MPLS traffic to the host.

Generated by OpenCVE AI on May 8, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Sun, 03 May 2026 09:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-362

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 01 May 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-362

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mpls: add seqcount to protect the platform_label{,s} pair The RCU-protected codepaths (mpls_forward, mpls_dump_routes) can have an inconsistent view of platform_labels vs platform_label in case of a concurrent resize (resize_platform_label_table, under platform_mutex). This can lead to OOB accesses. This patch adds a seqcount, so that we get a consistent snapshot. Note that mpls_label_ok is also susceptible to this, so the check against RTA_DST in rtm_to_route_config, done outside platform_mutex, is not sufficient. This value gets passed to mpls_label_ok once more in both mpls_route_add and mpls_route_del, so there is no issue, but that additional check must not be removed.
Title mpls: add seqcount to protect the platform_label{,s} pair
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:16:35.646Z

Reserved: 2026-05-01T14:12:55.978Z

Link: CVE-2026-43042

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:50.423

Modified: 2026-05-08T18:55:44.007

Link: CVE-2026-43042

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43042 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:45:19Z

Weaknesses