CVE-2026-43328 Overview
CVE-2026-43328 is a double free vulnerability [CWE-415] in the Linux kernel's cpufreq governor subsystem. The flaw exists in the cpufreq_dbs_governor_init() error path within the dynamic frequency scaling governor code. When kobject_init_and_add() fails, the cleanup logic invokes both kobject_put() and the explicit kfree(dbs_data) path, releasing the same memory twice. The kobject release callback cpufreq_dbs_data_release() already calls gov->exit(dbs_data) and kfree(dbs_data), so the subsequent direct free corrupts the kernel slab allocator state.
Critical Impact
Local attackers with low privileges can trigger memory corruption in the Linux kernel, potentially leading to privilege escalation, kernel crash, or arbitrary code execution in kernel context.
Affected Products
- Linux Kernel (multiple stable branches)
- Linux Kernel 5.1.6
- Linux Kernel 7.0 release candidates (rc1 through rc6)
Discovery Timeline
- 2026-05-08 - CVE-2026-43328 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-43328
Vulnerability Analysis
The vulnerability resides in the cpufreq governor initialization routine, specifically cpufreq_dbs_governor_init(). This function manages dynamic frequency scaling governors that adjust CPU clock speeds based on load. During initialization, the function allocates a dbs_data structure and registers it with the kernel object system via kobject_init_and_add().
When kobject_init_and_add() fails after partial initialization, the code calls kobject_put(&dbs_data->attr_set.kobj) to release the reference. The release callback cpufreq_dbs_data_release() is then invoked, which executes gov->exit(dbs_data) followed by kfree(dbs_data). However, the original error path continued to call gov->exit(dbs_data) and kfree(dbs_data) directly, freeing the same memory region twice.
Double free conditions in kernel memory allocators corrupt slab metadata. Attackers can leverage this corruption to achieve arbitrary write primitives or hijack kernel control flow.
Root Cause
The root cause is incorrect cleanup ordering in error handling. The patch keeps the direct kfree(dbs_data) only for the gov->init() failure path, which occurs before kobject_init_and_add(). After the kobject is initialized, cleanup must be delegated entirely to kobject_put() and the release callback. The original code violated this ownership model by performing manual cleanup after the kobject system had already taken ownership of the structure.
Attack Vector
Exploitation requires local access with low privileges. An attacker must trigger the specific error condition in kobject_init_and_add() during cpufreq governor initialization. This typically occurs through governor switching operations exposed via /sys/devices/system/cpu/cpufreq/ sysfs interfaces. Successful exploitation corrupts the kernel slab allocator, enabling heap manipulation techniques common in Linux kernel privilege escalation chains.
The vulnerability is described in prose because no public proof-of-concept code is available. See the Linux Kernel Commit da39ee6 for the authoritative patch details.
Detection Methods for CVE-2026-43328
Indicators of Compromise
- Kernel panic or oops messages referencing cpufreq_dbs_data_release or cpufreq_dbs_governor_init in dmesg output
- SLUB allocator warnings such as double free or corruption and kernel BUG at mm/slub.c
- Unexpected processes spawning with elevated privileges following cpufreq governor changes
- Anomalous writes to /sys/devices/system/cpu/cpufreq/policy*/scaling_governor
Detection Strategies
- Monitor kernel ring buffer for slab corruption warnings and KASAN reports indicating use-after-free or double-free patterns
- Enable CONFIG_SLUB_DEBUG and CONFIG_KASAN on test systems to identify exploitation attempts during validation
- Audit auditd for unprivileged write operations to cpufreq sysfs governor entries from non-root processes
Monitoring Recommendations
- Track kernel version inventory across Linux fleet using configuration management tooling
- Enable kernel crash collection (kdump) to capture forensic state if exploitation triggers a panic
- Correlate local privilege escalation indicators with cpufreq subsystem activity through centralized log analysis
How to Mitigate CVE-2026-43328
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the stable tree commits as soon as distribution updates are available
- Inventory all Linux systems running affected kernel versions and prioritize patching multi-tenant and shared hosts
- Restrict local user access on systems where the patch cannot be applied immediately
Patch Information
The fix preserves the direct kfree(dbs_data) only for the gov->init() failure path. After kobject_init_and_add() succeeds, cleanup is delegated entirely to kobject_put() through cpufreq_dbs_data_release(). Patches are available across stable branches in the following commits: Linux Kernel Commit 019ea28, Linux Kernel Commit 3bf9d02, Linux Kernel Commit 427d048, Linux Kernel Commit 56bc91e, Linux Kernel Commit 6dcf9d0, Linux Kernel Commit d2703b4, and Linux Kernel Commit da39ee6.
Workarounds
- Restrict write permissions on /sys/devices/system/cpu/cpufreq/ sysfs entries to root only using udev rules
- Disable runtime governor switching on production systems by setting a fixed governor at boot time via kernel command line parameter cpufreq.default_governor=performance
- Apply distribution-specific live kernel patching where available to avoid reboot requirements
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
