CVE-2026-43295 Overview
CVE-2026-43295 is a medium-severity vulnerability in the Linux kernel's RapidIO subsystem. The flaw resides in the rio_scan_alloc_net() function within the kernel's RapidIO network allocation path. When idtab allocation fails, the original error handling called rio_free_net() on a network structure that had not yet been registered via rio_add_net(). This mismatch could leave a dangling pointer in mport->net, leading to memory corruption and availability impact on the local system.
The vulnerability affects local attackers with low privileges and requires no user interaction. Successful exploitation results in high availability impact, typically manifesting as a kernel crash or unstable system state.
Critical Impact
A local low-privileged user can trigger a kernel-level dangling pointer condition in the RapidIO subsystem, resulting in denial of service on affected Linux systems.
Affected Products
- Linux Kernel (multiple stable branches as referenced by upstream commits)
- Distributions shipping vulnerable RapidIO subsystem code
- Systems with CONFIG_RAPIDIO enabled and RapidIO hardware or emulation present
Discovery Timeline
- 2026-05-08 - CVE-2026-43295 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-43295
Vulnerability Analysis
The vulnerability exists in the RapidIO scanning code path responsible for allocating a new RapidIO network structure. The function rio_scan_alloc_net() allocates a net object and then attempts to allocate the associated idtab. When the idtab allocation fails, the cleanup logic incorrectly invoked rio_free_net(), which is intended to release networks already registered with rio_add_net().
Because the network object was not yet registered at this point, calling rio_free_net() operated on partially initialized state. This left mport->net referencing freed or invalid memory, producing a dangling pointer condition. Subsequent code paths dereferencing mport->net could trigger memory corruption or kernel oops.
The fix replaces rio_free_net() with a direct kfree(net) call appropriate for the unregistered state and explicitly sets mport->net to NULL to eliminate the dangling reference.
Root Cause
The root cause is incorrect error-path cleanup. The original code applied a teardown routine designed for fully registered network objects to an object that had only been allocated. This mismatch between object lifecycle state and the cleanup function caused improper memory release semantics and left a stale pointer in mport->net.
Attack Vector
Exploitation requires local access with low privileges. An attacker must be able to trigger the RapidIO scan path, typically by interacting with RapidIO devices or driver interfaces that invoke rio_scan_alloc_net(). Forcing allocation failure on idtab—through memory pressure or fault injection—causes the vulnerable error path to execute, resulting in availability impact through kernel instability.
No proof-of-concept code is publicly available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog and has not been observed exploited in the wild.
Detection Methods for CVE-2026-43295
Indicators of Compromise
- Kernel oops or panic messages referencing rio_scan_alloc_net, rio_free_net, or the RapidIO subsystem in dmesg or /var/log/kern.log
- Unexpected system crashes or hangs on hosts with RapidIO hardware or drivers loaded
- Allocation failure warnings in kernel logs immediately preceding RapidIO subsystem errors
Detection Strategies
- Inventory hosts with CONFIG_RAPIDIO enabled and identify kernel versions that predate the upstream fix commits referenced by git.kernel.org
- Compare running kernel versions against the patched commits (34a4f23, 649c2e8, 666183d, 78812c4, 83e579c, 87272e3, e5a732b, fecf292)
- Monitor kernel ring buffer for RapidIO-related warnings and stack traces involving net allocation
Monitoring Recommendations
- Forward kernel logs to a centralized log platform and alert on rapidio or rio_ symbol references in oops traces
- Track kernel crash dumps for repeated faults in the RapidIO code path, which may indicate exploitation attempts or stability issues
- Audit loaded kernel modules to confirm whether rapidio is required; remove the module on systems that do not need it
How to Mitigate CVE-2026-43295
Immediate Actions Required
- Apply the latest stable kernel update from your Linux distribution vendor that incorporates the upstream RapidIO fix
- Verify the running kernel version against the patched commits listed in the Linux Kernel git repository
- Restrict local access to systems with RapidIO subsystems enabled, particularly multi-tenant or shared hosts
Patch Information
The vulnerability is resolved across multiple stable branches. Reference patches:
- Linux Kernel Commit 34a4f23
- Linux Kernel Commit 649c2e8
- Linux Kernel Commit 666183d
- Linux Kernel Commit 78812c4
- Linux Kernel Commit 83e579c
- Linux Kernel Commit 87272e3
- Linux Kernel Commit e5a732b
- Linux Kernel Commit fecf292
The fix replaces the inappropriate rio_free_net() call with kfree(net) and assigns NULL to mport->net to prevent dangling pointer dereference.
Workarounds
- Disable the RapidIO subsystem on systems that do not require it by blacklisting the rapidio module or building kernels without CONFIG_RAPIDIO
- Limit local shell access on affected systems to trusted administrators until patches are deployed
- Apply strict resource limits to reduce the likelihood of induced allocation failures that trigger the vulnerable error path
# Blacklist the RapidIO module to prevent loading
echo "blacklist rapidio" | sudo tee /etc/modprobe.d/blacklist-rapidio.conf
sudo update-initramfs -u
# Verify the module is not loaded
lsmod | grep rapidio
# Check current kernel version against patched commits
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
