CVE-2026-43303 - Vulnerability Details

- mm/page_alloc: clear page->private in free_pages_prepare()

Description

In the Linux kernel, the following vulnerability has been resolved:

mm/page_alloc: clear page->private in free_pages_prepare()

Several subsystems (slub, shmem, ttm, etc.) use page->private but don't
clear it before freeing pages. When these pages are later allocated as
high-order pages and split via split_page(), tail pages retain stale
page->private values.

This causes a use-after-free in the swap subsystem. The swap code uses
page->private to track swap count continuations, assuming freshly
allocated pages have page->private == 0. When stale values are present,
swap_count_continued() incorrectly assumes the continuation list is valid
and iterates over uninitialized page->lru containing LIST_POISON values,
causing a crash:

KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]
RIP: 0010:__do_sys_swapoff+0x1151/0x1860

Fix this by clearing page->private in free_pages_prepare(), ensuring all
freed pages have clean state regardless of previous use.

Published: 2026-05-08

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel mistakenly reused stale values in page->private when freeing pages, allowing the swap subsystem to treat outdated data as a valid continuation list. This leads to a use‑after‑free condition that corrupts kernel memory and causes a crash, as observed by the KASAN error in __do_sys_swapoff. The weakness is a use‑after‑free condition (CWE‑909) and can bring the system down, but there is no evidence of remote code execution or integrity compromise.

Affected Systems

All Linux kernel versions lacking the patch that clears page->private in free_pages_prepare() are affected. The vulnerability touches several subsystems—slub, shmem, ttm, among others—that rely on page->private for their internal state, yet the damage manifests in the swap subsystem. No specific version numbers were supplied, so the impact applies to any kernel before the fix was merged.

Risk and Exploitability

The vulnerability has no publicly listed KEV status and no EPSS score is available, but the nature of the fault means a local attacker who can trigger high-order page allocation or execute swapoff will likely cause a fatal kernel panic. The CVSS score of 7.0 indicates high severity; however, the potential for a complete system reboot gives it a moderate to high risk. The attack vector is inferred as local privileged or root activity that can execute swapoff or manipulate memory allocation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`3b8000ae185cb068adbda5f966a3835053c85fd4`	affected	< 23b82b7a26182ad840ae67d390d7ec9771e8c00f
`3b8000ae185cb068adbda5f966a3835053c85fd4`	affected	< d757c793853ec5483eb41ec2942c300b8fa720fb
`3b8000ae185cb068adbda5f966a3835053c85fd4`	affected	< ac1ea219590c09572ed5992dc233bbf7bb70fef9

Linux

affected

Version	Status	Constraints
`5.18`	affected	—
`0`	unaffected	< 5.18
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[3b8000ae185cb068adbda5f966a3835053c85fd4,23b82b7a26182ad840ae67d390d7ec9771e8c00f)`	affected	code_commit	—
`[3b8000ae185cb068adbda5f966a3835053c85fd4,d757c793853ec5483eb41ec2942c300b8fa720fb)`	affected	code_commit	—
`[3b8000ae185cb068adbda5f966a3835053c85fd4,ac1ea219590c09572ed5992dc233bbf7bb70fef9)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.18`	affected	generic	—
`[0,5.18)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the fix for page->private clearing in free_pages_prepare()
Reboot the system to load the updated kernel
Subscribe your distribution’s security update service to receive timely patch notifications

Generated by OpenCVE AI on May 9, 2026 at 01:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/23b82b7a26182ad840ae67d390d7ec9771e8c00f
https://git.kernel.org/stable/c/ac1ea219590c09572ed5992dc233bbf7bb70fef9
https://git.kernel.org/stable/c/d757c793853ec5483eb41ec2942c300b8fa720fb
https://lore.kernel.org/linux-cve-announce/2026050857-CVE-2026-43303-dc12@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43303
https://www.cve.org/CVERecord?id=CVE-2026-43303

History

Sat, 09 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-909
References		https://lore.kernel.org/linux-cve-announce/2026050857-CVE-2026-43303-dc12@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43303 https://www.cve.org/CVERecord?id=CVE-2026-43303
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Fri, 08 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: clear page->private in free_pages_prepare() Several subsystems (slub, shmem, ttm, etc.) use page->private but don't clear it before freeing pages. When these pages are later allocated as high-order pages and split via split_page(), tail pages retain stale page->private values. This causes a use-after-free in the swap subsystem. The swap code uses page->private to track swap count continuations, assuming freshly allocated pages have page->private == 0. When stale values are present, swap_count_continued() incorrectly assumes the continuation list is valid and iterates over uninitialized page->lru containing LIST_POISON values, causing a crash: KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107] RIP: 0010:__do_sys_swapoff+0x1151/0x1860 Fix this by clearing page->private in free_pages_prepare(), ensuring all freed pages have clean state regardless of previous use.
Title		mm/page_alloc: clear page->private in free_pages_prepare()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/23b82b7a26182ad840ae67d390d7ec9771e8c00f https://git.kernel.org/stable/c/ac1ea219590c09572ed5992dc233bbf7bb70fef9 https://git.kernel.org/stable/c/d757c793853ec5483eb41ec2942c300b8fa720fb

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T13:11:23.561Z

Updated: 2026-05-08T13:11:23.561Z

Reserved: 2026-05-01T14:12:56.000Z

Link: CVE-2026-43303

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T14:16:37.583

Modified: 2026-05-08T14:16:37.583

Link: CVE-2026-43303

Redhat

Severity : Important

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43303 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T02:00:19Z

Weaknesses

CWE-909

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object