CVE-2026-43091 Overview
CVE-2026-43091 is a kernel vulnerability in the Linux xfrm (IPsec transformation) subsystem. The flaw exists in xfrm_policy_fini(), which frees the policy_bydst hash tables during network namespace teardown without waiting for concurrent Read-Copy-Update (RCU) readers to leave their critical sections. Because the hash tables are published with rcu_assign_pointer() and accessed via rcu_dereference_check(), freeing the memory before an RCU grace period can lead to a use-after-free condition. The issue has been resolved upstream by adding synchronize_rcu() prior to freeing the policy hash tables.
Critical Impact
A race condition between RCU readers and netns teardown can cause use-after-free on xfrm policy hash tables, potentially resulting in kernel memory corruption or denial of service.
Affected Products
- Linux kernel versions containing the unpatched xfrm_policy_fini() implementation
- Systems using IPsec policies via the xfrm subsystem
- Multi-tenant or container hosts that frequently create and destroy network namespaces
Discovery Timeline
- 2026-05-06 - CVE-2026-43091 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43091
Vulnerability Analysis
The Linux kernel xfrm subsystem manages IPsec security policies and stores them in per-namespace policy_bydst hash tables. These tables are published using rcu_assign_pointer() and accessed by lookup paths through rcu_dereference_check(), which permits lockless concurrent reads under RCU protection.
During network namespace teardown, xfrm_policy_fini() flushes pending policy work items, deletes all policies, and then frees the hash table memory. The function does not call synchronize_rcu() before deallocation. As a result, an RCU reader that entered the lookup path before teardown can still hold a reference to the table when the memory is released.
This behavior produces a classic RCU use-after-free pattern. The reader may dereference freed memory after the namespace exit path completes, leading to kernel memory corruption, an oops, or potentially exploitable conditions depending on allocator state.
Root Cause
The root cause is a missing RCU grace-period synchronization in the netns exit path. RCU contracts require that memory published via rcu_assign_pointer() and read via rcu_dereference() only be freed after synchronize_rcu() (or equivalent) confirms all pre-existing readers have completed. xfrm_policy_fini() violated this contract for the policy_bydst tables.
Attack Vector
Triggering the race requires concurrent activity that performs xfrm policy lookups while a network namespace containing those policies is being destroyed. Workloads that frequently spawn and tear down namespaces, such as container runtimes or orchestration platforms, increase the likelihood of overlapping operations. Local actors with CAP_NET_ADMIN inside a namespace can influence both the lookup and teardown paths to widen the race window.
The vulnerability mechanism is described in the upstream patch series. See the Kernel Git Commit 3733fce and the Kernel Git Commit 069daad4 for the authoritative source-level fix.
Detection Methods for CVE-2026-43091
Indicators of Compromise
- Kernel oops or panic messages referencing xfrm_policy, policy_bydst, or __xfrm_policy_lookup call paths
- KASAN use-after-free reports involving xfrm hash table allocations during or shortly after netns teardown
- Unexpected IPsec connectivity loss correlated with container or namespace lifecycle events
Detection Strategies
- Enable Kernel Address Sanitizer (KASAN) on test and staging kernels to surface the use-after-free during stress testing
- Audit running kernel versions across the fleet against the patched stable releases referenced by the upstream commits
- Correlate kernel ring buffer (dmesg) entries with namespace teardown events emitted by container runtimes
Monitoring Recommendations
- Forward kernel.crit and kernel.err syslog facilities to a centralized log platform for review
- Track kernel version inventory continuously to identify hosts still running unpatched builds
- Alert on repeated kernel oops events on hosts that perform high-frequency namespace creation and destruction
How to Mitigate CVE-2026-43091
Immediate Actions Required
- Identify Linux hosts using IPsec via the xfrm subsystem, particularly container hosts and multi-tenant systems
- Apply the patched kernel from your distribution vendor or rebuild from a stable tree containing the referenced commits
- Reboot affected systems after patching, since the fix resides in resident kernel code
Patch Information
The upstream fix adds synchronize_rcu() to xfrm_policy_fini() before freeing the policy_bydst hash tables. Apply the patches available in the following stable commits: Kernel Git Commit 069daad4, Kernel Git Commit 33a3149, Kernel Git Commit 3733fce, Kernel Git Commit 438b1f6, and Kernel Git Commit b66920a.
Workarounds
- Reduce the rate of network namespace creation and destruction on hosts that cannot be patched immediately
- Avoid configuring xfrm policies inside short-lived namespaces where feasible
- Restrict CAP_NET_ADMIN to trusted workloads to limit who can manipulate xfrm policy state
# Verify running kernel version against patched releases
uname -r
# Check whether xfrm policies are configured in a namespace
ip xfrm policy show
# Inventory loaded kernel modules related to xfrm/IPsec
lsmod | grep -E 'xfrm|esp|ah'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
