Bug 2468075 (CVE-2026-43295)

Summary:	CVE-2026-43295 kernel: rapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net()
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	unspecified	CC:	rhel-process-autobot, watson-tool-maintainers
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A flaw was found in the Linux kernel's rapidio subsystem. When memory allocation for `idtab` fails within the `rio_scan_alloc_net()` function, the network object is not correctly freed, resulting in a dangling pointer. This improper memory management could lead to system instability or a denial of service.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-05-08 14:03:12 UTC

In the Linux kernel, the following vulnerability has been resolved:

rapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net()

When idtab allocation fails, net is not registered with rio_add_net() yet,
so kfree(net) is sufficient to release the memory.  Set mport->net to NULL
to avoid dangling pointer.

Comment 1 Keith Grant 2026-05-08 18:20:10 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050854-CVE-2026-43295-f6c5@gregkh/T