Description
In the Linux kernel, the following vulnerability has been resolved:

mctp: route: hold key->lock in mctp_flow_prepare_output()

mctp_flow_prepare_output() checks key->dev and may call
mctp_dev_set_key(), but it does not hold key->lock while doing so.

mctp_dev_set_key() and mctp_dev_release_key() are annotated with
__must_hold(&key->lock), so key->dev access is intended to be
serialized by key->lock. The mctp_sendmsg() transmit path reaches
mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output()
without holding key->lock, so the check-and-set sequence is racy.

Example interleaving:

CPU0 CPU1
---- ----
mctp_flow_prepare_output(key, devA)
if (!key->dev) // sees NULL
mctp_flow_prepare_output(
key, devB)
if (!key->dev) // still NULL
mctp_dev_set_key(devB, key)
mctp_dev_hold(devB)
key->dev = devB
mctp_dev_set_key(devA, key)
mctp_dev_hold(devA)
key->dev = devA // overwrites devB

Now both devA and devB references were acquired, but only the final
key->dev value is tracked for release. One reference can be lost,
causing a resource leak as mctp_dev_release_key() would only decrease
the reference on one dev.

Fix by taking key->lock around the key->dev check and
mctp_dev_set_key() call.
Published: 2026-05-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition exists in the Linux kernel’s MCTP routing subsystem. In mctp_flow_prepare_output(), the code checks whether key->dev is set and, if not, calls mctp_dev_set_key() to associate a device with the key. However, that callback requires key->lock to be held, and the calling function does not hold that lock. If two threads interleave, both can set the key on different devices, causing the second set to overwrite the first and leading to a lost reference. This race corresponds to a race condition flaw (CWE-367) and can result in a reference leak of one device. Over time, leaked references may exhaust kernel resources, causing instability or a denial of service.

Affected Systems

The vulnerability affects any Linux kernel build that contains the MCTP route module and has not yet applied the patch that protects the key->dev check with the lock. This includes all unpatched releases prior to the commit that adds the missing key lock. The impact is confined to the kernel and does not depend on specific hardware beyond those that use MCTP traffic.

Risk and Exploitability

The EPSS score of < 1% indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known public exploitation. The attack vector requires an internal race within the kernel, so remote exploitation is unlikely without additional local privilege or process interference. Environments with heavy MCTP traffic that invoke concurrent send operations are more likely to trigger the race, potentially leading to silent reference leaks and eventual kernel instability.

Generated by OpenCVE AI on May 9, 2026 at 15:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel version that includes the fix adding key- lock around the key->dev check and mctp_dev_set_key() call.
  • If the system cannot be updated immediately, disable the MCTP subsystem or restrict its usage so that concurrent send operations that could trigger the race are prevented.
  • Set up monitoring for kernel messages or reference count irregularities that may indicate leaked device references, and consider applying runtime safeguards if the kernel provides such hooks.

Generated by OpenCVE AI on May 9, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-404

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References

Fri, 08 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-404

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mctp: route: hold key->lock in mctp_flow_prepare_output() mctp_flow_prepare_output() checks key->dev and may call mctp_dev_set_key(), but it does not hold key->lock while doing so. mctp_dev_set_key() and mctp_dev_release_key() are annotated with __must_hold(&key->lock), so key->dev access is intended to be serialized by key->lock. The mctp_sendmsg() transmit path reaches mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output() without holding key->lock, so the check-and-set sequence is racy. Example interleaving: CPU0 CPU1 ---- ---- mctp_flow_prepare_output(key, devA) if (!key->dev) // sees NULL mctp_flow_prepare_output( key, devB) if (!key->dev) // still NULL mctp_dev_set_key(devB, key) mctp_dev_hold(devB) key->dev = devB mctp_dev_set_key(devA, key) mctp_dev_hold(devA) key->dev = devA // overwrites devB Now both devA and devB references were acquired, but only the final key->dev value is tracked for release. One reference can be lost, causing a resource leak as mctp_dev_release_key() would only decrease the reference on one dev. Fix by taking key->lock around the key->dev check and mctp_dev_set_key() call.
Title mctp: route: hold key->lock in mctp_flow_prepare_output()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:22:19.375Z

Reserved: 2026-05-01T14:12:56.010Z

Link: CVE-2026-43455

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:58.263

Modified: 2026-05-08T15:16:58.263

Link: CVE-2026-43455

cve-icon Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43455 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T16:00:13Z

Weaknesses