CVE-2026-43016 Overview
CVE-2026-43016 is a use-after-free vulnerability in the Linux kernel's BPF sockmap implementation. The flaw resides in sk_psock_verdict_data_ready() in net/core/skmsg.c and was reported by syzbot through KASAN instrumentation. The issue affects AF_UNIX stream sockets where the peer socket's ->sk_data_ready() is invoked after unix_state_lock() is released. While the sender holds the peer's refcount, this does not prevent sock_orphan() from running, allowing the peer's sk->sk_socket to be freed after one RCU grace period. A local attacker with the ability to create UNIX sockets can trigger memory corruption in kernel space.
Critical Impact
Local exploitation can corrupt kernel memory through use-after-free of sk->sk_socket, potentially leading to privilege escalation or kernel denial of service.
Affected Products
- Linux kernel branches containing the BPF sockmap verdict handling code in net/core/skmsg.c
- Systems using AF_UNIX stream sockets with sockmap eBPF programs attached
- Distributions shipping affected kernel versions prior to the upstream fix commits
Discovery Timeline
- 2026-05-01 - CVE-2026-43016 published to NVD
- 2026-05-03 - Last updated in NVD database
Technical Details for CVE-2026-43016
Vulnerability Analysis
The vulnerability is a use-after-free [CWE-416] in the Linux kernel networking stack, specifically in the BPF sockmap subsystem. The function sk_psock_verdict_data_ready() dereferences sk->sk_socket and sk->sk_socket->ops on a peer AF_UNIX socket whose backing struct socket may already have been freed.
In unix_stream_sendmsg() at net/unix/af_unix.c:2482, the sender invokes the peer socket's ->sk_data_ready() callback after dropping unix_state_lock(). The sender holds a reference on the peer sock structure, but that reference does not protect the associated struct socket from being detached via sock_orphan(). Once orphaned, sk_socket is freed asynchronously through an RCU grace period.
The KASAN report confirms a slab-use-after-free read of 8 bytes in sk_psock_verdict_data_ready+0xec/0x590. The freed object originates from sock_alloc_inode() allocated during __sys_socketpair(), and is released via kmem_cache_free during RCU batch processing.
Root Cause
The root cause is missing RCU protection when accessing the peer socket's sk_socket field. The sockmap verdict path assumed the struct socket would remain valid for the duration of the data-ready callback, but sock_orphan() can NULL out and free sk_socket independently of the sock reference count.
Attack Vector
A local unprivileged user creates a UNIX socket pair, attaches a sockmap eBPF program, and induces a race between unix_stream_sendmsg() on one side and close() or process termination on the peer. By winning the race after unix_state_lock() is released but before the data-ready callback completes, the attacker triggers a dereference of freed slab memory. The fix fetches sk->sk_socket and sk->sk_socket->ops under rcu_read_lock() inside sk_psock_verdict_data_ready(), ensuring the structure remains valid for the duration of the access.
Detection Methods for CVE-2026-43016
Indicators of Compromise
- KASAN reports referencing slab-use-after-free in sk_psock_verdict_data_ready in kernel logs
- Unexpected kernel oopses or panics with call traces through unix_stream_sendmsg and sk_psock_verdict_data_ready
- dmesg entries showing BUG reports tied to net/core/skmsg.c:1278
Detection Strategies
- Audit running kernel versions against the upstream stable commits 18861f87a043, 68187f18a89b, 8d597e3e7402, ad8391d37f33, and af95bc39a83d to identify unpatched hosts
- Monitor for processes that load BPF sockmap programs and operate on AF_UNIX socket pairs, since exploitation requires this configuration
- Enable CONFIG_KASAN in test environments to surface use-after-free conditions during fuzz testing
Monitoring Recommendations
- Forward kernel ring buffer messages to a centralized log pipeline and alert on KASAN, BUG, and Oops keywords
- Track bpf() syscall usage with audit rules to identify processes attaching sockmap programs
- Correlate kernel crash telemetry with the affected call stack to detect exploitation attempts
How to Mitigate CVE-2026-43016
Immediate Actions Required
- Apply the upstream stable kernel update containing the RCU-protected fix to sk_psock_verdict_data_ready() as soon as your distribution publishes it
- Inventory all Linux hosts running kernels with BPF sockmap support and prioritize multi-tenant systems where local users are untrusted
- Restrict the bpf() syscall using kernel.unprivileged_bpf_disabled=1 to limit which users can attach sockmap programs
Patch Information
The fix is published across multiple stable branches via the following commits: Linux Kernel Commit 18861f87a043, Linux Kernel Commit 68187f18a89b, Linux Kernel Commit 8d597e3e7402, Linux Kernel Commit ad8391d37f33, and Linux Kernel Commit af95bc39a83d. Rebuild and reboot into the patched kernel to take effect.
Workarounds
- Set kernel.unprivileged_bpf_disabled=1 via sysctl to block non-root users from loading BPF programs that exercise the vulnerable path
- Apply seccomp filters in untrusted workloads to deny the bpf() syscall where it is not required
- Avoid attaching sockmap verdict programs to AF_UNIX stream sockets on unpatched kernels until the fix is deployed
# Disable unprivileged BPF as a temporary mitigation
sudo sysctl -w kernel.unprivileged_bpf_disabled=1
echo 'kernel.unprivileged_bpf_disabled=1' | sudo tee /etc/sysctl.d/90-bpf.conf
# Verify running kernel against patched stable releases
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
