Description
In the Linux kernel, the following vulnerability has been resolved:

tcp: fix potential race in tcp_v6_syn_recv_sock()

Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock()
is done too late.

After tcp_v4_syn_recv_sock(), the child socket is already visible
from TCP ehash table and other cpus might use it.

Since newinet->pinet6 is still pointing to the listener ipv6_pinfo
bad things can happen as syzbot found.

Move the problematic code in tcp_v6_mapped_child_init()
and call this new helper from tcp_v4_syn_recv_sock() before
the ehash insertion.

This allows the removal of one tcp_sync_mss(), since
tcp_v4_syn_recv_sock() will call it with the correct
context.
Published: 2026-05-06
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, the vulnerability arises from a race condition in tcp_v6_syn_recv_sock() where the child socket becomes visible in the TCP ehash table before appropriate initialization. The timing issue may allow another CPU to access the socket with an incomplete IPv6 pointer, potentially causing memory corruption or a kernel panic. This flaw is characterized by concurrency‑related weakness and an improper initialization condition. The primary impact is loss of confidentiality, integrity, and availability due to possible kernel faults.

Affected Systems

The affected product is the Linux kernel in all releases that contain the unpatched implementation of tcp_v6_syn_recv_sock(). No specific version range is listed, so any active kernel signed by Linux:Linux is potentially vulnerable.

Risk and Exploitability

The likely attack vector involves network‑based traffic that triggers a SYN packet to the affected socket, inducing the race condition. The EPSS score is < 1%, and the CVSS score is 9.8, making the likelihood of exploitation uncertain. Although exploitability is uncertain, because the flaw can lead to kernel corruption, the risk of exploitation is considered high in terms of impact.

Generated by OpenCVE AI on May 11, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the system to a Linux kernel version that incorporates the patch from the kernel commit (e.g., the changes reflected in the references provided) and reboot the server to activate the new kernel.
  • If a kernel update cannot be applied immediately, apply the specific patch directly from the commit logs to the current kernel source, rebuild, and flash the new kernel image, then reboot.
  • After applying the fix or updating the kernel, monitor system logs for signs of unexpected kernel crashes or memory corruption to confirm that the issue has been fully mitigated.

Generated by OpenCVE AI on May 11, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CPEs cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 07 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-821
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 06 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: tcp: fix potential race in tcp_v6_syn_recv_sock() Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock() is done too late. After tcp_v4_syn_recv_sock(), the child socket is already visible from TCP ehash table and other cpus might use it. Since newinet->pinet6 is still pointing to the listener ipv6_pinfo bad things can happen as syzbot found. Move the problematic code in tcp_v6_mapped_child_init() and call this new helper from tcp_v4_syn_recv_sock() before the ehash insertion. This allows the removal of one tcp_sync_mss(), since tcp_v4_syn_recv_sock() will call it with the correct context.
Title tcp: fix potential race in tcp_v6_syn_recv_sock()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:19:44.515Z

Reserved: 2026-05-01T14:12:55.992Z

Link: CVE-2026-43198

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:38.857

Modified: 2026-05-11T20:12:11.740

Link: CVE-2026-43198

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43198 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:00:19Z

Weaknesses