CVE-2026-43050 Overview
CVE-2026-43050 is a use-after-free vulnerability [CWE-416] in the Linux kernel's Asynchronous Transfer Mode (ATM) LAN Emulation (LEC) subsystem. The flaw resides in sock_def_readable() and is triggered by a race condition between lec_atm_close() clearing priv->lecd and concurrent socket access in send_to_lecd(), lec_handle_bridge(), and lec_atm_send(). When the socket is freed via Read-Copy-Update (RCU) while another thread still references it, the kernel dereferences a stale pointer to the socket's wait queue.
The vulnerability affects multiple Linux kernel versions, including builds spanning from 2.6.12 through 7.0 release candidates. It is tracked under CVE-2026-43050 and was published to the National Vulnerability Database on 2026-05-01.
Critical Impact
Local attackers with the ability to open ATM LEC sockets can trigger a kernel-mode use-after-free, leading to memory corruption, denial of service, or potential local privilege escalation.
Affected Products
- Linux Kernel (mainline, multiple versions)
- Linux Kernel 2.6.12 (including release candidates rc2 through rc5)
- Linux Kernel 7.0 release candidates rc1 through rc4
Discovery Timeline
- 2026-05-01 - CVE-2026-43050 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43050
Vulnerability Analysis
The vulnerability is a Use-After-Free condition in the ATM LEC driver located at net/atm/lec.c. The LEC subsystem maintains a per-interface priv structure that holds a pointer, priv->lecd, to the control daemon's socket. When user space closes the LEC control socket, lec_atm_close() sets priv->lecd to NULL without synchronizing against other in-flight operations.
Concurrently, transmit and bridging code paths including send_to_lecd(), lec_handle_bridge(), and lec_atm_send() dereference priv->lecd to deliver packets up to the daemon. Once RCU frees the underlying socket, the wait-queue access inside sock_def_readable() operates on freed memory. Exploiting the race can corrupt kernel memory and destabilize the host.
Root Cause
The root cause is missing synchronization on the priv->lecd pointer. lec_atm_close() clears the pointer without ensuring that all readers have completed, and the readers themselves do not protect access against teardown. The fix marks priv->lecd as __rcu, switches assignments to rcu_assign_pointer(), uses rcu_access_pointer() for NULL checks, and brackets dereferences with rcu_read_lock()/rcu_dereference()/rcu_read_unlock(). A synchronize_rcu() call in lec_atm_close() guarantees readers complete before teardown proceeds.
Attack Vector
Exploitation requires local access and the ability to open ATM sockets, which typically means a kernel built with CONFIG_ATM_LANE and a user with sufficient privileges to create AF_ATMSVC or AF_ATMPVC sockets. An attacker races socket close against transmit or bridge operations to leave a dangling pointer in priv->lecd. Successful triggering produces a use-after-free in sock_def_readable() when the kernel attempts to wake the socket's wait queue. Refer to the upstream patch series for the precise call paths.
Detection Methods for CVE-2026-43050
Indicators of Compromise
- Kernel oops or panic messages referencing sock_def_readable, lec_atm_close, send_to_lecd, or lec_handle_bridge in dmesg or /var/log/kern.log.
- KASAN reports flagging use-after-free reads in the ATM LEC code path.
- Unexpected ATM LEC interface teardowns followed by process crashes or system instability on hosts with the atm or lec kernel modules loaded.
Detection Strategies
- Inventory hosts that load the atm and lec kernel modules using lsmod | grep -E 'atm|lec' and prioritize patching those systems.
- Enable Kernel Address Sanitizer (KASAN) on test or canary kernels to surface the race condition during fuzzing or stress testing.
- Monitor audit logs for processes invoking socket(AF_ATMSVC, ...) or socket(AF_ATMPVC, ...) from non-administrative users.
Monitoring Recommendations
- Forward kernel ring buffer events to a centralized logging platform and alert on stack traces containing ATM LEC symbols.
- Track kernel version inventory across the fleet and correlate against the fixed commits listed in the vendor advisories.
- Watch for repeated process crashes or kernel splats originating from a single low-privileged account, which can indicate race exploitation attempts.
How to Mitigate CVE-2026-43050
Immediate Actions Required
- Apply the upstream kernel patches referenced in the vendor advisories and reboot affected hosts at the earliest maintenance window.
- Where patching is not yet possible, blacklist the lec and atm kernel modules on systems that do not require ATM LAN Emulation.
- Restrict the ability to create ATM sockets to trusted administrative users only.
Patch Information
The Linux kernel maintainers fixed the issue by converting priv->lecd to an RCU-protected pointer and adding synchronize_rcu() in lec_atm_close(). Fixed commits are available in the stable trees, including commit 317843d5, commit 3989740f, commit 3e8b25f3, commit 5fbbb1ff, commit 750a33f4, commit 92281487, commit abc10f85, and commit b256d055. Distribution vendors are publishing backports through their standard kernel update channels.
Workarounds
- Blacklist the lec module by adding blacklist lec to /etc/modprobe.d/blacklist-atm.conf on systems that do not use ATM LAN Emulation.
- Use module signing and lockdown features to prevent unprivileged loading of legacy networking modules.
- Limit local user access on multi-tenant Linux systems until patched kernels are deployed.
# Configuration example: prevent loading of vulnerable ATM LEC modules
echo 'blacklist lec' | sudo tee /etc/modprobe.d/blacklist-atm.conf
echo 'blacklist atm' | sudo tee -a /etc/modprobe.d/blacklist-atm.conf
sudo rmmod lec 2>/dev/null || true
sudo rmmod atm 2>/dev/null || true
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
