CVE-2026-43198 - Vulnerability Details

- tcp: fix potential race in tcp_v6_syn_recv_sock()

Description

In the Linux kernel, the following vulnerability has been resolved:

tcp: fix potential race in tcp_v6_syn_recv_sock()

Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock()
is done too late.

After tcp_v4_syn_recv_sock(), the child socket is already visible
from TCP ehash table and other cpus might use it.

Since newinet->pinet6 is still pointing to the listener ipv6_pinfo
bad things can happen as syzbot found.

Move the problematic code in tcp_v6_mapped_child_init()
and call this new helper from tcp_v4_syn_recv_sock() before
the ehash insertion.

This allows the removal of one tcp_sync_mss(), since
tcp_v4_syn_recv_sock() will call it with the correct
context.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Based on the description, the vulnerability arises from a race condition in tcp_v6_syn_recv_sock() where the child socket becomes visible in the TCP ehash table before appropriate initialization. The timing issue may allow another CPU to access the socket with an incomplete IPv6 pointer, potentially causing memory corruption or a kernel panic. The primary impact is loss of confidentiality, integrity, and availability due to possible kernel faults.

Affected Systems

The affected product is the Linux kernel in all releases that contain the unpatched implementation of tcp_v6_syn_recv_sock(). No specific version range is listed, so any active kernel signed by Linux:Linux is potentially vulnerable.

Risk and Exploitability

Based on the description, the likely attack vector involves network-based traffic that triggers a SYN packet to the affected socket, inducing the race condition. The exact exploitation vector is not detailed, and no EPSS or CVSS score is available, so the likelihood of exploitation remains uncertain. However, because the flaw can lead to kernel corruption, the risk of exploitation is considered high in terms of impact, while the likelihood remains uncertain due to lack of publicly reported cases.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< fe89b2f05b854847784f91127319172945c1fadd
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 7178e2a8027423b2af17ab95df73a749a5b72e5b
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 858d2a4f67ff69e645a43487ef7ea7f28f06deae

Linux

affected

Version	Status	Constraints
`2.6.12`	affected	—
`0`	unaffected	< 2.6.12
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,fe89b2f05b854847784f91127319172945c1fadd)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,7178e2a8027423b2af17ab95df73a749a5b72e5b)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,858d2a4f67ff69e645a43487ef7ea7f28f06deae)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.12`	affected	semver	—
`[0,2.6.12)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the system to a Linux kernel version that incorporates the patch from the kernel commit (e.g.,the changes reflected in the references provided) and reboot the server to activate the new kernel.
If a kernel update cannot be applied immediately, apply the specific patch directly from the commit logs to the current kernel source, rebuild, and flash the new kernel image, then reboot.
After applying the fix or updating the kernel, monitor system logs for signs of unexpected kernel crashes or memory corruption to confirm that the issue has been fully mitigated.

Generated by OpenCVE AI on May 6, 2026 at 16:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/7178e2a8027423b2af17ab95df73a749a5b72e5b
https://git.kernel.org/stable/c/858d2a4f67ff69e645a43487ef7ea7f28f06deae
https://git.kernel.org/stable/c/fe89b2f05b854847784f91127319172945c1fadd

History

Wed, 06 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: tcp: fix potential race in tcp_v6_syn_recv_sock() Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock() is done too late. After tcp_v4_syn_recv_sock(), the child socket is already visible from TCP ehash table and other cpus might use it. Since newinet->pinet6 is still pointing to the listener ipv6_pinfo bad things can happen as syzbot found. Move the problematic code in tcp_v6_mapped_child_init() and call this new helper from tcp_v4_syn_recv_sock() before the ehash insertion. This allows the removal of one tcp_sync_mss(), since tcp_v4_syn_recv_sock() will call it with the correct context.
Title		tcp: fix potential race in tcp_v6_syn_recv_sock()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/7178e2a8027423b2af17ab95df73a749a5b72e5b https://git.kernel.org/stable/c/858d2a4f67ff69e645a43487ef7ea7f28f06deae https://git.kernel.org/stable/c/fe89b2f05b854847784f91127319172945c1fadd

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:05.569Z

Updated: 2026-05-06T11:28:05.569Z

Reserved: 2026-05-01T14:12:55.992Z

Link: CVE-2026-43198

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:38.857

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43198

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T17:45:08Z

Weaknesses

CWE-362

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object