Bug 2468172 (CVE-2026-43374) - CVE-2026-43374 kernel: net: nexthop: fix percpu use-after-free in remove_nh_grp_entry
Summary: CVE-2026-43374 kernel: net: nexthop: fix percpu use-after-free in remove_nh_g...
Keywords:
Status: NEW
Alias: CVE-2026-43374
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-08 15:02 UTC by OSIDB Bzimport
Modified: 2026-05-08 21:05 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-08 15:02:56 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: nexthop: fix percpu use-after-free in remove_nh_grp_entry

When removing a nexthop from a group, remove_nh_grp_entry() publishes
the new group via rcu_assign_pointer() then immediately frees the
removed entry's percpu stats with free_percpu(). However, the
synchronize_net() grace period in the caller remove_nexthop_from_groups()
runs after the free. RCU readers that entered before the publish still
see the old group and can dereference the freed stats via
nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a
use-after-free on percpu memory.

Fix by deferring the free_percpu() until after synchronize_net() in the
caller. Removed entries are chained via nh_list onto a local deferred
free list. After the grace period completes and all RCU readers have
finished, the percpu stats are safely freed.
Comment 1 Keith Grant 2026-05-08 21:01:58 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050830-CVE-2026-43374-385e@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.