CVE-2026-43042 Overview
CVE-2026-43042 is a race condition vulnerability in the Linux kernel's Multiprotocol Label Switching (MPLS) subsystem. The flaw exists because RCU-protected codepaths, including mpls_forward and mpls_dump_routes, can observe an inconsistent view of the platform_labels count and platform_label array pair during a concurrent table resize performed by resize_platform_label_table. This inconsistency allows out-of-bounds (OOB) memory accesses in kernel space. The upstream fix introduces a seqcount to ensure RCU readers obtain a consistent snapshot of both fields.
Critical Impact
A local attacker with the ability to trigger MPLS route operations can cause out-of-bounds kernel memory access, leading to information disclosure or kernel denial of service.
Affected Products
- Linux kernel versions containing the vulnerable MPLS platform_label table implementation prior to the upstream fix
- Distributions shipping kernels with the unpatched net/mpls/af_mpls.c code
- Systems with the MPLS kernel module loaded and exposed to local users
Discovery Timeline
- 2026-05-01 - CVE-2026-43042 published to NVD
- 2026-05-03 - Last updated in NVD database
Technical Details for CVE-2026-43042
Vulnerability Analysis
The Linux kernel MPLS implementation maintains a label forwarding table consisting of two related fields: platform_labels (the size of the table) and platform_label (the pointer to the table itself). Writers serialize updates with platform_mutex, while readers rely on Read-Copy-Update (RCU) for lock-free traversal.
During a table resize via resize_platform_label_table, the size and the pointer are updated as separate operations. RCU readers in mpls_forward and mpls_dump_routes may observe a torn state where the size value corresponds to one table while the pointer references another. When a reader indexes into the array using the inconsistent size, it can dereference memory outside the bounds of the active allocation.
The function mpls_label_ok is also affected. The patch notes that the existing RTA_DST validation in rtm_to_route_config, performed outside platform_mutex, is not sufficient on its own. Re-validation inside mpls_route_add and mpls_route_del prevents exploitation through that path.
Root Cause
The root cause is the absence of an atomic snapshot mechanism for the (platform_labels, platform_label) pair. RCU alone protects the pointer dereference but does not coordinate the read of the related size value, producing a Time-of-Check Time-of-Use (TOCTOU) condition between the two fields.
Attack Vector
Exploitation requires local access and the privilege to invoke MPLS route operations, typically CAP_NET_ADMIN within a user namespace. An attacker races concurrent route additions, deletions, or dumps against a triggered table resize. A successful race causes the forwarding or dump path to read past the end of the resized array. The result is kernel memory disclosure or a kernel panic, depending on the surrounding allocator state.
No verified proof-of-concept code is publicly available.
Refer to the upstream kernel commits for the precise code paths
and the seqcount-based fix:
- 5bb3caf0bbfb56f1a00d2af072ac3d8395a3b9ef
- 629ec78ef8608d955ce217880cdc3e1873af3a15
Detection Methods for CVE-2026-43042
Indicators of Compromise
- Unexpected kernel oops or panic entries in dmesg referencing mpls_forward, mpls_dump_routes, or mpls_label_ok
- KASAN reports of out-of-bounds reads in the MPLS subsystem on instrumented kernels
- Repeated RTM_NEWROUTE, RTM_DELROUTE, or RTM_GETROUTE netlink operations targeting AF_MPLS from unprivileged processes within user namespaces
Detection Strategies
- Audit running kernel versions against vendor advisories to identify hosts missing the seqcount fix
- Enable KASAN on test systems to surface OOB accesses in net/mpls/af_mpls.c during fuzzing or stress testing
- Monitor netlink socket activity for high-frequency MPLS route mutations correlated with table resize operations
Monitoring Recommendations
- Forward kernel logs to a centralized logging platform and alert on crashes referencing MPLS symbols
- Track CAP_NET_ADMIN grants and user namespace creation by non-root processes
- Inventory hosts with the mpls_router module loaded and prioritize them for patching
How to Mitigate CVE-2026-43042
Immediate Actions Required
- Apply the upstream kernel patches referenced by commits 5bb3caf0bbfb and 629ec78ef860 or upgrade to a distribution kernel containing the seqcount fix
- If MPLS is not required, unload the mpls_router module and blacklist it to remove the attack surface
- Restrict creation of unprivileged user namespaces on systems where local users do not need that capability
Patch Information
The fix adds a seqcount around updates to the platform_label{,s} pair so that RCU readers retry until they observe a consistent snapshot. Distribution-specific patched kernels are tracked through the upstream stable trees. See the Kernel Git Commit Reference (5bb3caf) and the Kernel Git Commit Reference (629ec78) for the authoritative source changes.
Workarounds
- Blacklist the mpls_router kernel module on systems that do not require label switching
- Set kernel.unprivileged_userns_clone=0 (or the equivalent sysctl on your distribution) to prevent unprivileged users from acquiring CAP_NET_ADMIN in a namespace
- Limit access to netlink AF_MPLS operations to trusted administrative accounts
# Blacklist the MPLS module and restrict unprivileged namespaces
echo 'blacklist mpls_router' | sudo tee /etc/modprobe.d/blacklist-mpls.conf
sudo sysctl -w kernel.unprivileged_userns_clone=0
sudo rmmod mpls_router 2>/dev/null || true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
