Description
In the Linux kernel, the following vulnerability has been resolved:

mctp: route: hold key->lock in mctp_flow_prepare_output()

mctp_flow_prepare_output() checks key->dev and may call
mctp_dev_set_key(), but it does not hold key->lock while doing so.

mctp_dev_set_key() and mctp_dev_release_key() are annotated with
__must_hold(&key->lock), so key->dev access is intended to be
serialized by key->lock. The mctp_sendmsg() transmit path reaches
mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output()
without holding key->lock, so the check-and-set sequence is racy.

Example interleaving:

CPU0 CPU1
---- ----
mctp_flow_prepare_output(key, devA)
if (!key->dev) // sees NULL
mctp_flow_prepare_output(
key, devB)
if (!key->dev) // still NULL
mctp_dev_set_key(devB, key)
mctp_dev_hold(devB)
key->dev = devB
mctp_dev_set_key(devA, key)
mctp_dev_hold(devA)
key->dev = devA // overwrites devB

Now both devA and devB references were acquired, but only the final
key->dev value is tracked for release. One reference can be lost,
causing a resource leak as mctp_dev_release_key() would only decrease
the reference on one dev.

Fix by taking key->lock around the key->dev check and
mctp_dev_set_key() call.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition exists in the MCTP routing subsystem of the Linux kernel. When preparing an outgoing message, the code checks if a key is already bound to a device and, if not, calls a function that must be protected by a lock. Because the calling code does not hold that lock, two threads can concurrently perform the check and set operations on different devices. The second thread overwrites the first key assignment, causing one device reference to be lost. The lost reference cannot be released, leading to a leaking reference counter. Over time this leak could exhaust kernel resources, destabilize the system, or trigger a denial of service.

Affected Systems

The issue affects any Linux kernel that includes the MCTP routing module and has not yet incorporated the missing lock around the key check. All unpatched releases with this module remain vulnerable. The problem is limited to the kernel and does not rely on specific hardware; any device that uses MCTP traffic could trigger the race.

Risk and Exploitability

The EPSS score of < 1% indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known public exploitation. The attack vector requires an internal race within the kernel, so remote exploitation is unlikely unless the attacker can induce simultaneous MCTP operations. Heavy MCTP traffic or deliberate concurrency could trigger the race, potentially leading to silent reference leaks and eventual kernel instability. The CVSS score of 5.5 reflects moderate severity.

Generated by OpenCVE AI on May 20, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that adds the missing lock around the key check in mctp_flow_prepare_output(), as this fix directly addresses the CWE-367 race condition flaw.
  • If a kernel upgrade is not immediately possible, disable the MCTP subsystem or restrict its usage to prevent concurrent send operations that could trigger the race condition.
  • Enable monitoring of kernel messages for indications of reference count anomalies or device leaks, and apply any available runtime safeguards that enforce proper reference release behavior.

Generated by OpenCVE AI on May 20, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 09 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-404

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References

Fri, 08 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-404

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mctp: route: hold key->lock in mctp_flow_prepare_output() mctp_flow_prepare_output() checks key->dev and may call mctp_dev_set_key(), but it does not hold key->lock while doing so. mctp_dev_set_key() and mctp_dev_release_key() are annotated with __must_hold(&key->lock), so key->dev access is intended to be serialized by key->lock. The mctp_sendmsg() transmit path reaches mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output() without holding key->lock, so the check-and-set sequence is racy. Example interleaving: CPU0 CPU1 ---- ---- mctp_flow_prepare_output(key, devA) if (!key->dev) // sees NULL mctp_flow_prepare_output( key, devB) if (!key->dev) // still NULL mctp_dev_set_key(devB, key) mctp_dev_hold(devB) key->dev = devB mctp_dev_set_key(devA, key) mctp_dev_hold(devA) key->dev = devA // overwrites devB Now both devA and devB references were acquired, but only the final key->dev value is tracked for release. One reference can be lost, causing a resource leak as mctp_dev_release_key() would only decrease the reference on one dev. Fix by taking key->lock around the key->dev check and mctp_dev_set_key() call.
Title mctp: route: hold key->lock in mctp_flow_prepare_output()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:24:55.256Z

Reserved: 2026-05-01T14:12:56.010Z

Link: CVE-2026-43455

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:58.263

Modified: 2026-05-20T18:04:20.973

Link: CVE-2026-43455

cve-icon Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43455 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T20:30:39Z

Weaknesses