CVE-2026-43455

EUVD-2026-28761
In the Linux kernel, the following vulnerability has been resolved:

mctp: route: hold key->lock in mctp_flow_prepare_output()

mctp_flow_prepare_output() checks key->dev and may call
mctp_dev_set_key(), but it does not hold key->lock while doing so.

mctp_dev_set_key() and mctp_dev_release_key() are annotated with
__must_hold(&key->lock), so key->dev access is intended to be
serialized by key->lock. The mctp_sendmsg() transmit path reaches
mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output()
without holding key->lock, so the check-and-set sequence is racy.

Example interleaving:

  CPU0                                  CPU1
  ----                                  ----
  mctp_flow_prepare_output(key, devA)
    if (!key->dev)  // sees NULL
                                        mctp_flow_prepare_output(
                                            key, devB)
                                          if (!key->dev)  // still NULL
                                          mctp_dev_set_key(devB, key)
                                            mctp_dev_hold(devB)
                                            key->dev = devB
    mctp_dev_set_key(devA, key)
      mctp_dev_hold(devA)
      key->dev = devA   // overwrites devB

Now both devA and devB references were acquired, but only the final
key->dev value is tracked for release. One reference can be lost,
causing a resource leak as mctp_dev_release_key() would only decrease
the reference on one dev.

Fix by taking key->lock around the key->dev check and
mctp_dev_set_key() call.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
5.16 ≤
𝑥
< 6.1.167
linuxlinux_kernel
6.2 ≤
𝑥
< 6.6.130
linuxlinux_kernel
6.7 ≤
𝑥
< 6.12.78
linuxlinux_kernel
6.13 ≤
𝑥
< 6.18.19
linuxlinux_kernel
6.19 ≤
𝑥
< 6.19.9
linuxlinux_kernel
7.0:rc1
linuxlinux_kernel
7.0:rc2
linuxlinux_kernel
7.0:rc3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.170-3
fixed
bookworm (security)
6.1.174-1
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.257-1
fixed
forky
7.0.12-2
fixed
sid
7.0.13-1
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.94-1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
kernel-64kb
suse enterprise desktop 15 SP7
6.4.0-150700.53.60.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.60.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.60.1
fixed
kernel-default
suse enterprise desktop 15 SP7
6.4.0-150700.53.60.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.60.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.60.1
fixed
kernel-default-base
suse enterprise desktop 15 SP7
6.4.0-150700.53.60.1.150700.17.35.4
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.60.1.150700.17.35.4
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.60.1.150700.17.35.4
fixed
kernel-obs-build
suse enterprise desktop 15 SP7
6.4.0-150700.53.60.2
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.60.2
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.60.2
fixed
kernel-source
suse enterprise desktop 15 SP7
6.4.0-150700.53.60.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.60.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.60.1
fixed
kernel-zfcpdump
suse enterprise desktop 15 SP7
6.4.0-150700.53.60.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.60.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.60.1
fixed
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/0695712f3a6f1a48915f95767cfb42077683dcdc
https://git.kernel.org/stable/c/47893166bc5611ee9a20de6b8d2933b2320fb772
https://git.kernel.org/stable/c/7d86aa41c073c4e7eb75fd2e674f1fd8f289728a
https://git.kernel.org/stable/c/86f5334fcb48a5b611c33364ab52ca684d0f6d91
https://git.kernel.org/stable/c/8d27d9b260dd19c1b519e1a13de6448f9984e30e
https://git.kernel.org/stable/c/925a5ffd99cddd7a7e41d5ad120c7a2c6d50260f