CVE-2026-43208 Overview
CVE-2026-43208 is a Linux kernel vulnerability in the networking subsystem affecting Receive Packet Steering (RPS) handling. The flaw resides in the set_rps_cpu() function, which incorrectly assumed the RPS table for each receive queue would maintain a consistent size and never change. This assumption can lead to out-of-bounds memory access and potential kernel crashes when the table size changes between get_rps_cpu() and set_rps_cpu() calls. The kernel maintainers resolved the issue by computing flow_id directly inside set_rps_cpu() rather than passing the value from the caller.
Critical Impact
Out-of-bounds memory access in the kernel network path can cause system crashes and potential memory corruption affecting Linux network stack stability.
Affected Products
- Linux kernel (networking subsystem, RPS implementation)
- Distributions shipping affected kernel versions prior to the fix commits
- Systems with RPS enabled on multi-queue network interfaces
Discovery Timeline
- 2026-05-06 - CVE CVE-2026-43208 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43208
Vulnerability Analysis
The vulnerability exists in the Linux kernel's Receive Packet Steering implementation. RPS distributes packet processing across multiple CPUs by hashing flow identifiers into a per-receive-queue table. The original implementation passed flow_id from get_rps_cpu() to set_rps_cpu() as a precomputed value.
This design assumed the RPS flow table size remains constant across both function calls. When the table size changes between calls, the precomputed flow_id may exceed the current table bounds. The result is an out-of-bound array access in kernel memory.
The fix recomputes flow_id inside set_rps_cpu() against the current table state. This eliminates the stale-index condition. The patch is committed under hashes 5455a232, 8a8a9fac, and ed712dc0 in the upstream stable tree.
Root Cause
The root cause is an unsafe assumption about kernel data structure invariance. The blamed commit treated the RPS flow table as fixed-size and immutable across the receive path. RPS tables can be resized via sysfs, invalidating any cached index. Passing flow_id between functions without re-validation creates a Time-of-Check Time-of-Use (TOCTOU) condition leading to out-of-bounds reads or writes.
Attack Vector
Exploitation requires the ability to trigger RPS table size changes concurrent with active network traffic processing. An attacker with local privileges to modify RPS configuration via /sys/class/net/<iface>/queues/rx-*/rps_flow_cnt could create the race condition. Network traffic targeting affected receive queues would then trigger the out-of-bounds access. The primary impact is denial of service through kernel crash, with potential for memory corruption.
No verified public exploit code is available. Refer to the upstream commits for technical patch details:
Detection Methods for CVE-2026-43208
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing set_rps_cpu or get_rps_cpu in dmesg output
- KASAN reports indicating out-of-bounds access in the net/core/dev.c networking code path
- Sudden network interface resets or queue stalls correlated with RPS configuration changes
Detection Strategies
- Monitor kernel logs for crash signatures involving the RPS subsystem and receive queue processing
- Audit changes to RPS flow count parameters under /sys/class/net/*/queues/rx-*/rps_flow_cnt
- Validate running kernel version against the patched commits in the upstream stable tree
Monitoring Recommendations
- Enable persistent kernel crash dump collection via kdump to capture and analyze any RPS-related panics
- Track sysfs write events to RPS configuration paths through Linux audit framework rules
- Correlate kernel crash telemetry with network workload changes across fleet endpoints
How to Mitigate CVE-2026-43208
Immediate Actions Required
- Update affected Linux systems to a kernel version containing commits 5455a232, 8a8a9fac, or ed712dc0
- Apply distribution-provided kernel updates as soon as vendors release backported fixes
- Restrict write access to RPS sysfs configuration paths to trusted administrators only
Patch Information
The upstream Linux kernel maintainers resolved the issue by moving flow_id computation into set_rps_cpu(). The fix is available in three stable tree commits: 5455a232edea6b946b99449f15ca771a8874a5a6, 8a8a9fac9efa6423fd74938b940cb7d731780718, and ed712dc0d64dee5f0d05e4d8ca57711f8a9c850c. Distribution maintainers including Red Hat, Debian, Ubuntu, and SUSE typically backport such fixes into their supported kernel branches.
Workarounds
- Disable RPS on affected interfaces by writing 0 to /sys/class/net/<iface>/queues/rx-*/rps_cpus if performance impact is acceptable
- Avoid runtime resizing of RPS flow tables on production systems until patches are deployed
- Limit local user access on multi-tenant systems to reduce attack surface for race condition triggers
# Configuration example - disable RPS on interface eth0 until patched
for q in /sys/class/net/eth0/queues/rx-*/rps_cpus; do
echo 0 | sudo tee "$q"
done
# Verify running kernel against patched commits
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
