CVE-2026-43244 Overview
CVE-2026-43244 is a Linux kernel vulnerability in the Kernel Connection Multiplexor (KCM) subsystem. The flaw triggers a WARN_ON in kcm_write_msgs() when processing a message containing a zero-fragment socket buffer (skb) within the frag_list. Syzkaller discovered the issue while fuzzing the KCM sendmsg path with partial copy failures from user memory.
The defect arises during error handling in kcm_sendmsg() after MAX_SKB_FRAGS is reached and a new tail skb (tskb) is linked into frag_list before data copy. When the copy fails with -EFAULT, the empty skb remains attached and is later processed when the message is queued to sk_write_queue.
Critical Impact
A local user with KCM socket access can trigger a kernel warning and potential denial-of-service condition by inducing a partial sendmsg failure on a SOCK_SEQPACKET KCM socket.
Affected Products
- Linux kernel — KCM (Kernel Connection Multiplexor) subsystem
- Stable kernel branches receiving fixes via commits 7af58f76, 9ea3671d, b1e3edf6, and ca220141
- Distributions shipping vulnerable Linux kernels with KCM enabled (CONFIG_AF_KCM)
Discovery Timeline
- 2026-05-06 - CVE-2026-43244 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43244
Vulnerability Analysis
The vulnerability resides in the KCM sendmsg write path. When kcm_sendmsg() fills the current skb's frags[] array up to MAX_SKB_FRAGS, it allocates an additional skb (tskb) and links it into the head skb's frag_list before copying user data. If the user-memory copy then fails, tskb is left attached to frag_list with nr_frags == 0.
For SOCK_SEQPACKET sockets, the partially assembled message is preserved via partial_message for later completion. Because sock_write_iter() automatically sets MSG_EOR on SOCK_SEQPACKET, a subsequent zero-length write(fd, NULL, 0) finalizes the message and queues it onto sk_write_queue. The transmit path kcm_write_msgs() then walks frag_list and triggers WARN_ON(!skb_shinfo(skb)->nr_frags).
TCP avoids this class of bug through tcp_remove_empty_skb(), which cleans up empty skbs after a copy failure. KCM lacked the equivalent cleanup, allowing a malformed skb chain to reach the send path.
Root Cause
The root cause is missing error-path cleanup of empty skbs linked into frag_list before user data is copied. The KCM send path treats skb allocation and data copy as separate steps without unwinding the linkage when the copy fails. This is a kernel input validation and resource cleanup defect in the network protocol code.
Attack Vector
A local unprivileged user with the ability to open a KCM SOCK_SEQPACKET socket can trigger the warning. The attacker calls sendmsg() with a payload large enough to fill MAX_SKB_FRAGS, then induces a copy failure by passing a user buffer that becomes invalid mid-copy (for example, by munmap-ing a page). A subsequent zero-length write completes the partial message and triggers the warning during transmission. A reproducer was published in the upstream commit message.
The vulnerability mechanism is described in the upstream Kernel Git Commit b1e3edf6 and parallel stable-tree backports.
Detection Methods for CVE-2026-43244
Indicators of Compromise
- Kernel log entries containing WARN_ON or WARN_ON_ONCE originating from kcm_write_msgs in net/kcm/kcmsock.c.
- Stack traces in dmesg referencing kcm_sendmsg, kcm_write_msgs, and skb_shinfo together.
- Unexpected use of the AF_KCM socket family by non-administrative processes.
Detection Strategies
- Monitor kernel ring buffer and journalctl -k output for repeated kcm_write_msgs warnings, which indicate trigger attempts.
- Audit socket(AF_KCM, SOCK_SEQPACKET, ...) system calls via auditd or eBPF tracing to identify processes exercising KCM.
- Correlate EFAULT returns from sendmsg() on KCM file descriptors with subsequent zero-length writes from the same process.
Monitoring Recommendations
- Forward kernel logs to a centralized log pipeline and alert on WARN_ON_ONCE events from networking subsystems.
- Track loaded kernel modules and confirm whether kcm is present on hosts that do not require it.
- Baseline KCM socket usage per host and flag deviations, since legitimate KCM consumers are uncommon.
How to Mitigate CVE-2026-43244
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced by commits 7af58f76, 9ea3671d, b1e3edf6, and ca220141 as soon as distribution updates are available.
- Disable or blacklist the kcm kernel module on systems that do not require Kernel Connection Multiplexor functionality.
- Restrict access to the AF_KCM socket family using seccomp profiles or SELinux/AppArmor policies for untrusted workloads.
Patch Information
The fix tracks the predecessor skb (frag_prev) when allocating a new frag_list entry. On error, if the tail skb has zero frags, frag_prev is used to unlink and free it in O(1) without walking the singly linked frag_list. The patch also downgrades WARN_ON to WARN_ON_ONCE to prevent log flooding. Patches are available in Kernel Git Commit 7af58f76, Kernel Git Commit 9ea3671d, Kernel Git Commit b1e3edf6, and Kernel Git Commit ca220141.
Workarounds
- Prevent the kcm module from loading by adding install kcm /bin/true to a file under /etc/modprobe.d/.
- Apply seccomp filters to block socket() calls with domain == AF_KCM for untrusted processes and containers.
- Limit container and namespace creation privileges so unprivileged users cannot open KCM sockets in isolated network namespaces.
# Configuration example
# Disable the KCM kernel module on hosts that do not require it
echo 'install kcm /bin/true' | sudo tee /etc/modprobe.d/blacklist-kcm.conf
sudo rmmod kcm 2>/dev/null || true
# Verify the module is not loaded
lsmod | grep -i kcm
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
