Description
In the Linux kernel, the following vulnerability has been resolved:

net: nexthop: fix percpu use-after-free in remove_nh_grp_entry

When removing a nexthop from a group, remove_nh_grp_entry() publishes
the new group via rcu_assign_pointer() then immediately frees the
removed entry's percpu stats with free_percpu(). However, the
synchronize_net() grace period in the caller remove_nexthop_from_groups()
runs after the free. RCU readers that entered before the publish still
see the old group and can dereference the freed stats via
nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a
use-after-free on percpu memory.

Fix by deferring the free_percpu() until after synchronize_net() in the
caller. Removed entries are chained via nh_list onto a local deferred
free list. After the grace period completes and all RCU readers have
finished, the percpu stats are safely freed.
Published: 2026-05-08
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free in the Linux kernel networking stack. When a nexthop is removed from a group, remove_nh_grp_entry publishes a new group via RCU and immediately frees the per‑CPU statistics of the removed entry. Because the caller does not wait for the RCU grace period before freeing, an RCU reader that had accessed the old group can dereference the freed statistics, resulting in memory corruption. This weakness, classified as CWE‑825, can allow an attacker who can trigger a nexthop removal to execute arbitrary code with kernel privileges. Based on the description, the likely attack vector is netlink operations that modify routing tables.

Affected Systems

All Linux kernel releases that include the vulnerable remove_nh_grp_entry implementation are affected. The advisories reference the entire Linux kernel family, and no specific version range is provided. If your system is running a kernel prior to the commit that defers freeing per‑CPU statistics until after synchronize_net, the vulnerability remains present.

Risk and Exploitability

The CVSS score of 7.0 places this flaw in the high severity range. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, indicating that no widespread exploitation has been reported yet. However, use‑after‑free bugs in core networking code are known to be exploitable in the wild, and based on the description the attacker can exploit the issue via standard netlink interfaces, potentially escalating privileges. Administrators should treat the vulnerability as high risk and prioritize patching.

Generated by OpenCVE AI on May 9, 2026 at 05:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that contains the patch which defers freeing per‑CPU network statistics until after the RCU grace period.
  • After upgrading, reboot the host or restart networking services to ensure the patched kernel is active.
  • If immediate updating is not possible, restrict netlink operations that modify nexthop groups to privileged users or disable the ability to create or delete groups on the affected systems.

Generated by OpenCVE AI on May 9, 2026 at 05:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: nexthop: fix percpu use-after-free in remove_nh_grp_entry When removing a nexthop from a group, remove_nh_grp_entry() publishes the new group via rcu_assign_pointer() then immediately frees the removed entry's percpu stats with free_percpu(). However, the synchronize_net() grace period in the caller remove_nexthop_from_groups() runs after the free. RCU readers that entered before the publish still see the old group and can dereference the freed stats via nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a use-after-free on percpu memory. Fix by deferring the free_percpu() until after synchronize_net() in the caller. Removed entries are chained via nh_list onto a local deferred free list. After the grace period completes and all RCU readers have finished, the percpu stats are safely freed.
Title net: nexthop: fix percpu use-after-free in remove_nh_grp_entry
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:21:24.537Z

Reserved: 2026-05-01T14:12:56.006Z

Link: CVE-2026-43374

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:48.547

Modified: 2026-05-08T15:16:48.547

Link: CVE-2026-43374

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43374 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T05:15:06Z

Weaknesses