CVE-2026-43374

EUVD-2026-28680
In the Linux kernel, the following vulnerability has been resolved:

net: nexthop: fix percpu use-after-free in remove_nh_grp_entry

When removing a nexthop from a group, remove_nh_grp_entry() publishes
the new group via rcu_assign_pointer() then immediately frees the
removed entry's percpu stats with free_percpu(). However, the
synchronize_net() grace period in the caller remove_nexthop_from_groups()
runs after the free. RCU readers that entered before the publish still
see the old group and can dereference the freed stats via
nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a
use-after-free on percpu memory.

Fix by deferring the free_percpu() until after synchronize_net() in the
caller. Removed entries are chained via nh_list onto a local deferred
free list. After the grace period completes and all RCU readers have
finished, the percpu stats are safely freed.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.159-1
fixed
bookworm (security)
6.1.170-1
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.251-4
fixed
forky
6.19.14-1
fixed
sid
7.0.4-1
fixed
trixie
vulnerable
trixie (security)
6.12.86-1
fixed
References
https://git.kernel.org/stable/c/9e08ad731862b22a87cc55f752e16d66cdc9e231
https://git.kernel.org/stable/c/ab5ebab9664214ba41a7633cb4e72f128204f924
https://git.kernel.org/stable/c/abf4feaee6405f1441929c6ebe7a250f2cd170a7
https://git.kernel.org/stable/c/b2662e7593e94ae09b1cf7ee5f09160a3612bcb2