CVE-2026-43303 Overview
CVE-2026-43303 is a use-after-free vulnerability [CWE-416] in the Linux kernel memory management subsystem. The flaw resides in free_pages_prepare() within mm/page_alloc, where freed pages retain stale page->private values. Subsystems including slub, shmem, and ttm set page->private but do not clear it before releasing pages back to the allocator. When the swap subsystem later receives these pages and calls swap_count_continued(), it iterates over uninitialized page->lru data containing LIST_POISON values, triggering a kernel crash.
Critical Impact
A local attacker with low privileges can trigger memory corruption in the kernel, leading to denial of service or potential privilege escalation through the swap subsystem.
Affected Products
- Linux Kernel 5.18 (including release candidates rc4–rc9)
- Linux Kernel stable branches prior to the backported fix
- Distributions shipping affected kernel versions
Discovery Timeline
- 2026-05-08 - CVE-2026-43303 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43303
Vulnerability Analysis
The vulnerability stems from inconsistent state management of the page->private field across kernel subsystems. Multiple subsystems use page->private for tracking allocation-specific metadata. These subsystems do not reset the field when releasing pages back to the buddy allocator. When the allocator later returns these pages as high-order allocations and split_page() distributes the tail pages, the residual page->private values persist.
The swap subsystem assumes that newly allocated pages have page->private == 0. It uses this field to indicate whether a swap count continuation list exists for the page. When stale data is present, swap_count_continued() follows what it believes is a valid linked list. The actual memory contains LIST_POISON sentinel values such as 0xdead000000000100, producing a wild memory access reported by KASAN inside __do_sys_swapoff.
Root Cause
The root cause is the absence of a write to clear page->private in free_pages_prepare(). The buddy allocator did not enforce a clean-state invariant for this field, leaving correctness dependent on each subsystem performing its own cleanup. Any subsystem that failed to clear the field before freeing introduced a latent use-after-free condition for downstream consumers.
Attack Vector
Exploitation requires local access with the ability to influence kernel memory allocation patterns. An attacker triggers allocations and releases that leave non-zero page->private values, then invokes swapoff or related swap operations to reach swap_count_continued(). The resulting wild pointer dereference crashes the kernel and, under specific heap-shaping conditions, may allow controlled corruption of kernel structures.
No verified public proof-of-concept code is available. Technical details are documented in the upstream kernel commits referenced by the Kernel Git Commit - Fix.
Detection Methods for CVE-2026-43303
Indicators of Compromise
- Kernel oops or panic messages referencing __do_sys_swapoff or swap_count_continued
- KASAN reports indicating wild memory access in the range 0xdead000000000100-0xdead000000000107
- Unexpected kernel crashes correlated with swapoff invocations or heavy swap activity
Detection Strategies
- Monitor kernel ring buffer (dmesg) and /var/log/kern.log for LIST_POISON dereference signatures
- Enable KASAN on test and staging kernels to surface use-after-free conditions before production exposure
- Audit running kernel versions across the fleet using uname -r against the patched baseline
Monitoring Recommendations
- Aggregate kernel crash telemetry centrally for correlation across hosts
- Alert on repeated invocations of swapoff by non-administrative users or unexpected processes
- Track kernel package versions through configuration management to identify unpatched systems
How to Mitigate CVE-2026-43303
Immediate Actions Required
- Apply the upstream kernel patches referenced in the vendor advisory commits as soon as distribution builds are available
- Inventory Linux hosts running kernel 5.18 or affected stable branches and prioritize patching for multi-tenant systems
- Restrict local shell access on systems that cannot be patched immediately, since exploitation requires local privileges
Patch Information
The fix clears page->private in free_pages_prepare(), ensuring every freed page returns to the allocator with clean state. The patch is committed upstream as 23b82b7a2618, with related changes in ac1ea219590c and d757c793853e. Distribution maintainers backport these commits to long-term support kernels.
Workarounds
- Disable swap on affected hosts using swapoff -a where workload tolerates it, eliminating the vulnerable code path
- Limit access to the swapoff syscall by enforcing least-privilege policies and reviewing capability assignments
- Apply seccomp or LSM policies that restrict swap management syscalls to trusted administrative contexts
# Verify current kernel version and swap status
uname -r
cat /proc/swaps
# Temporary mitigation: disable swap if workload permits
sudo swapoff -a
# Persist by commenting swap entries in /etc/fstab
sudo sed -i.bak '/\sswap\s/s/^/#/' /etc/fstab
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
