CVE-2026-43011
EUVD-2026-2661001.05.2026, 15:16
In the Linux kernel, the following vulnerability has been resolved:
net/x25: Fix potential double free of skb
When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at
line 48 and returns 1 (error).
This error propagates back through the call chain:
x25_queue_rx_frame returns 1
|
v
x25_state3_machine receives the return value 1 and takes the else
branch at line 278, setting queued=0 and returning 0
|
v
x25_process_rx_frame returns queued=0
|
v
x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb)
again
This would free the same skb twice. Looking at x25_backlog_rcv:
net/x25/x25_in.c:x25_backlog_rcv() {
...
queued = x25_process_rx_frame(sk, skb);
...
if (!queued)
kfree_skb(skb);
}EnginsightAffected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 2.6.12.1 ≤ 𝑥 < 5.10.253 |
| linux | linux_kernel | 5.11 ≤ 𝑥 < 5.15.203 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 6.1.168 |
| linux | linux_kernel | 6.2 ≤ 𝑥 < 6.6.134 |
| linux | linux_kernel | 6.7 ≤ 𝑥 < 6.12.81 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.18.22 |
| linux | linux_kernel | 6.19 ≤ 𝑥 < 6.19.12 |
| linux | linux_kernel | 2.6.12 |
| linux | linux_kernel | 2.6.12:rc2 |
| linux | linux_kernel | 2.6.12:rc3 |
| linux | linux_kernel | 2.6.12:rc4 |
| linux | linux_kernel | 2.6.12:rc5 |
| linux | linux_kernel | 7.0:rc1 |
| linux | linux_kernel | 7.0:rc2 |
| linux | linux_kernel | 7.0:rc3 |
| linux | linux_kernel | 7.0:rc4 |
| linux | linux_kernel | 7.0:rc5 |
| linux | linux_kernel | 7.0:rc6 |
𝑥
= Vulnerable software versions
Debian Releases
Common Weakness Enumeration
Vulnerability Media Exposure
References