CVE-2026-43385 Overview
CVE-2026-43385 is a Linux kernel vulnerability in the networking subsystem affecting threaded busypoll handling. The flaw causes rcu_tasks grace period stalls when threaded busypoll is enabled on NAPI (New API) network interfaces. The kernel fails to report quiescent state correctly because napi_threaded_poll_loop rarely iterates more than once under busypoll conditions. This results in indefinite RCU (Read-Copy-Update) task stalls, blocking tools such as bpftrace from starting and degrading system stability. The issue was resolved through commits that move quiescent state tracking to the outer napi_threaded_poll function.
Critical Impact
Network-reachable conditions can trigger kernel RCU stalls, producing denial-of-service conditions on Linux systems running threaded busypoll networking workloads.
Affected Products
- Linux kernel versions implementing threaded NAPI busypoll
- Systems with NIC drivers operating under napi_threaded_poll
- Linux distributions consuming upstream stable kernel trees
Discovery Timeline
- 2026-05-08 - CVE-2026-43385 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43385
Vulnerability Analysis
The vulnerability resides in the Linux kernel networking stack, specifically in the threaded busypoll path. When threaded busypoll is enabled, the main NAPI polling loop executes inside napi_threaded_poll rather than napi_threaded_poll_loop. The function rcu_softirq_qs_periodic, invoked inside napi_threaded_poll_loop, only reports a quiescent state when last_qs is at least 100ms behind the current jiffies value.
Under threaded busypoll, napi_threaded_poll_loop rarely iterates more than once per outer call. Each invocation resets last_qs to the current jiffies, so the 100ms threshold is never reached. As a result, the kernel never reports a quiescent state for the NAPI kernel thread, and rcu_tasks grace periods stall indefinitely.
Kernel logs show repeated rcu_tasks_wait_gp warnings with grace period age growing into the hundreds of thousands of jiffies. The stalled task is the NAPI kernel thread (for example, napi/eth2-8265) stuck in the running state inside napi_threaded_poll_loop. Tools that depend on RCU task synchronization, such as bpftrace and other BPF-based tracers, hang during startup.
Root Cause
The root cause is incorrect placement of the last_qs timestamp tracking. Because last_qs is stored and reset within napi_threaded_poll_loop, the periodic quiescent state reporting logic in rcu_softirq_qs_periodic cannot detect that the required 100ms has elapsed. The fix moves last_qs tracking to the outer napi_threaded_poll function and uses busy_poll_last_qs to indicate whether napi_threaded_poll_loop is operating in busypoll mode.
Attack Vector
The vulnerability is reachable over the network because sustained packet traffic drives the NAPI threaded busypoll loop. Any workload that keeps the NAPI thread continuously busy on an affected NIC can trigger the stall. The condition impacts availability through kernel RCU stalls and dependent subsystem hangs. No authentication or local access is required to generate the network load that exposes the bug.
The vulnerability manifests through kernel scheduling and RCU subsystem behavior rather than through exploitable code execution paths. See the referenced kernel commits for the precise code change.
Detection Methods for CVE-2026-43385
Indicators of Compromise
- Kernel log messages matching rcu_tasks_wait_gp: rcu_tasks grace period number N (since boot) is X jiffies old
- INFO: rcu_tasks detected stalls on tasks entries naming napi/<iface>-<queue> threads
- Hung or unresponsive bpftrace, bpftool, or other BPF-dependent tools at startup
- NAPI kernel threads stuck in running state with call traces including napi_threaded_poll_loop and napi_threaded_poll
Detection Strategies
- Monitor dmesg and journalctl -k for rcu_tasks stall warnings on hosts with threaded NAPI enabled
- Inspect /sys/class/net/<iface>/threaded to identify interfaces running threaded NAPI
- Correlate BPF tooling failures with concurrent kernel RCU stall messages
- Track kernel version against the fix commits 1a86a1f7d889 and 52459201d0df in stable trees
Monitoring Recommendations
- Centralize kernel ring buffer collection and alert on rcu_tasks detected stalls patterns
- Baseline expected NAPI thread CPU consumption and alert on threads pinned at 100% with no quiescent transitions
- Track availability of BPF-based observability agents and treat startup hangs as a high-priority signal
How to Mitigate CVE-2026-43385
Immediate Actions Required
- Identify hosts with threaded NAPI busypoll enabled by inspecting /sys/class/net/*/threaded
- Plan rollout of a patched stable kernel containing the upstream fix
- For systems unable to patch immediately, disable threaded NAPI on affected interfaces to remove the stall condition
Patch Information
The upstream fix relocates last_qs tracking from napi_threaded_poll_loop to napi_threaded_poll, using busy_poll_last_qs as the indicator for busypoll context. Apply the kernel updates referenced in Kernel Git Commit 1a86a1f and Kernel Git Commit 5245920. Update through the distribution package manager once vendor builds incorporating these commits are released.
Workarounds
- Disable threaded NAPI on affected NICs by writing 0 to /sys/class/net/<iface>/threaded
- Avoid enabling busypoll on workloads that depend on RCU task synchronization until patched
- Restrict deployment of BPF tracing tools on impacted hosts until kernel updates are applied
# Configuration example: disable threaded NAPI on an interface
echo 0 | sudo tee /sys/class/net/eth2/threaded
# Verify current state
cat /sys/class/net/eth2/threaded
# Check kernel logs for rcu_tasks stalls
sudo dmesg | grep -E 'rcu_tasks|napi_threaded_poll'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
