Description
In the Linux kernel, the following vulnerability has been resolved:

xfrm: Wait for RCU readers during policy netns exit

xfrm_policy_fini() frees the policy_bydst hash tables after flushing the
policy work items and deleting all policies, but it does not wait for
concurrent RCU readers to leave their read-side critical sections first.

The policy_bydst tables are published via rcu_assign_pointer() and are
looked up through rcu_dereference_check(), so netns teardown must also
wait for an RCU grace period before freeing the table memory.

Fix this by adding synchronize_rcu() before freeing the policy hash tables.
Published: 2026-05-06
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the Linux kernel finalizes an XFRM network namespace by freeing the policy_bydst hash tables immediately after flushing policy work items, without waiting for concurrent RCU readers to exit their read‑side critical sections. Because these tables are published via rcu_assign_pointer and accessed through rcu_dereference_check, the premature release can trigger a use‑after‑free scenario. An attacker could potentially exploit this race to crash the kernel or manipulate privileged data, leading to denial of service or escalation of privileges within the affected system.

Affected Systems

The flaw is present in all versions of the Linux kernel that have not applied the patch that adds a synchronize_rcu() call before freeing the policy hash tables. No specific version range is listed; affected releases include any kernel built before the commit referenced in the advisory (e.g., 069daad4f2ae9c5c108131995529d5f02392c446).

Risk and Exploitability

The CVSS score is 7.8, indicating a high severity. The EPSS score is less than 1%, reflecting a very low likelihood of exploitation. The issue is not currently listed in CISA KEV, so no widespread exploitation is known. The exploit requires the ability to trigger a network‑namespace teardown while other contexts retain RCU references to the policy tables, which may limit the attack surface. Nevertheless, the potential for a kernel crash or privilege elevation warrants prompt action if the affected kernel version is in use.

Generated by OpenCVE AI on May 19, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that inserts synchronize_rcu() before freeing the policy_bydst tables, as referenced in the advisory commits.
  • Rebuild and install the updated kernel, then reboot into the new kernel image.
  • Verify that any network namespaces are cleanly removed before shutdown or system reconfiguration to avoid triggering the bug during normal operation.

Generated by OpenCVE AI on May 19, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 23:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-368
CWE-416
CWE-788

Tue, 19 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-368
CWE-416

Tue, 19 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Fri, 08 May 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-368
CWE-416

Fri, 08 May 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-368
CWE-416

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 07 May 2026 02:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-368
CWE-416

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfrm: Wait for RCU readers during policy netns exit xfrm_policy_fini() frees the policy_bydst hash tables after flushing the policy work items and deleting all policies, but it does not wait for concurrent RCU readers to leave their read-side critical sections first. The policy_bydst tables are published via rcu_assign_pointer() and are looked up through rcu_dereference_check(), so netns teardown must also wait for an RCU grace period before freeing the table memory. Fix this by adding synchronize_rcu() before freeing the policy hash tables.
Title xfrm: Wait for RCU readers during policy netns exit
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:17:33.354Z

Reserved: 2026-05-01T14:12:55.984Z

Link: CVE-2026-43091

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T10:16:22.433

Modified: 2026-05-19T20:42:35.963

Link: CVE-2026-43091

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43091 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T23:30:05Z

Weaknesses