CVE-2026-43481 - Vulnerability Details

- net-shapers: don't free reply skb after genlmsg_reply()

Description

In the Linux kernel, the following vulnerability has been resolved:

net-shapers: don't free reply skb after genlmsg_reply()

genlmsg_reply() hands the reply skb to netlink, and
netlink_unicast() consumes it on all return paths, whether the
skb is queued successfully or freed on an error path.

net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit()
currently jump to free_msg after genlmsg_reply() fails and call
nlmsg_free(msg), which can hit the same skb twice.

Return the genlmsg_reply() error directly and keep free_msg
only for pre-reply failures.

Published: 2026-05-13

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Linux kernel’s net-shapers implementation causes a double free of a socket buffer after a genlmsg_reply call fails. The duplicated free can corrupt kernel memory, potentially leading to a kernel panic or arbitrary code execution if an attacker can trigger the failure path. Thus, the primary impact is disruption of system availability or possible local privilege escalation on a vulnerable host.

Affected Systems

The vulnerability affects the Linux kernel, specifically the net-shapers code path that handles netlink replies. All kernel versions that contain the problematic net_shapers logic and have not yet incorporated the recent patch (identified by commit 57885276cc16a2e2b76282c808a4e84cbecb3aae) are susceptible. No specific version numbers are listed, so the risk applies to any Linux kernel running an unpatched net_shapers implementation.

Risk and Exploitability

The CVSS score of 7.0 indicates a high severity vulnerability. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed exploits yet. The likely attack vector is local: an attacker with privileges to send crafted netlink messages to the kernel can invoke the buggy path. Due to the lack of publicly reported exploits, the risk is moderate to high for organizations running affected kernels, especially those with exposed netlink interfaces or root access. The potential for denial of service or privilege escalation warrants prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`4b623f9f0f59652ea71fcb27d60b4c3b65126dbb`	affected	< 8738dcc844fff7d0157ee775230e95df3b1884d7
`4b623f9f0f59652ea71fcb27d60b4c3b65126dbb`	affected	< 83f7b54242d0abbfce35a55c01322f50962ed3ee
`4b623f9f0f59652ea71fcb27d60b4c3b65126dbb`	affected	< 57885276cc16a2e2b76282c808a4e84cbecb3aae

Linux

affected

Version	Status	Constraints
`6.13`	affected	—
`0`	unaffected	< 6.13
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[4b623f9f0f59652ea71fcb27d60b4c3b65126dbb,8738dcc844fff7d0157ee775230e95df3b1884d7)`	affected	code_commit	—
`[4b623f9f0f59652ea71fcb27d60b4c3b65126dbb,83f7b54242d0abbfce35a55c01322f50962ed3ee)`	affected	code_commit	—
`[4b623f9f0f59652ea71fcb27d60b4c3b65126dbb,57885276cc16a2e2b76282c808a4e84cbecb3aae)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.13`	affected	semver	—
`[0,6.13)`	unaffected	semver	—
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0,*)`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the system to a Linux kernel release that includes the net_shapers double‑free fix
Reboot the host after updating the kernel to ensure the patched code is active
Verify that any custom net‑shaping modules are removed or updated to avoid the buggy code path

Generated by OpenCVE AI on May 14, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/57885276cc16a2e2b76282c808a4e84cbecb3aae
https://git.kernel.org/stable/c/83f7b54242d0abbfce35a55c01322f50962ed3ee
https://git.kernel.org/stable/c/8738dcc844fff7d0157ee775230e95df3b1884d7
https://lore.kernel.org/linux-cve-announce/2026051348-CVE-2026-43481-6f80@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43481
https://www.cve.org/CVERecord?id=CVE-2026-43481

History

Thu, 14 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1341
References		https://lore.kernel.org/linux-cve-announce/2026051348-CVE-2026-43481-6f80@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43481 https://www.cve.org/CVERecord?id=CVE-2026-43481
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 13 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net-shapers: don't free reply skb after genlmsg_reply() genlmsg_reply() hands the reply skb to netlink, and netlink_unicast() consumes it on all return paths, whether the skb is queued successfully or freed on an error path. net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit() currently jump to free_msg after genlmsg_reply() fails and call nlmsg_free(msg), which can hit the same skb twice. Return the genlmsg_reply() error directly and keep free_msg only for pre-reply failures.
Title		net-shapers: don't free reply skb after genlmsg_reply()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/57885276cc16a2e2b76282c808a4e84cbecb3aae https://git.kernel.org/stable/c/83f7b54242d0abbfce35a55c01322f50962ed3ee https://git.kernel.org/stable/c/8738dcc844fff7d0157ee775230e95df3b1884d7

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-13T15:08:29.116Z

Updated: 2026-05-13T15:08:29.116Z

Reserved: 2026-05-01T14:12:56.012Z

Link: CVE-2026-43481

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-13T16:16:51.287

Modified: 2026-05-13T16:16:51.287

Link: CVE-2026-43481

Redhat

Severity : Moderate

Publid Date: 2026-05-13T00:00:00Z

Links: CVE-2026-43481 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-14T13:30:06Z

Weaknesses

CWE-1341

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object