CVE-2026-43457 Overview
CVE-2026-43457 is a memory leak vulnerability in the Linux kernel's Management Component Transport Protocol (MCTP) over I2C implementation. The flaw exists in the receive path of the mctp-i2c driver. When the midev->allow_rx flag is false, a newly allocated socket buffer (skb) is not consumed by netif_rx(), and the code path fails to free the buffer directly. Each dropped frame leaks kernel memory, gradually exhausting available resources on systems handling MCTP over I2C traffic. The issue was resolved through patches applied across multiple stable Linux kernel branches.
Critical Impact
Sustained MCTP-over-I2C traffic on a system where allow_rx is disabled causes progressive kernel memory exhaustion, potentially leading to denial of service on affected hosts.
Affected Products
- Linux kernel branches containing the mctp-i2c driver prior to the fix
- Systems using MCTP transport over I2C buses (commonly BMCs, server management controllers, and platform telemetry)
- Distributions shipping kernels without the backported commits referenced below
Discovery Timeline
- 2026-05-08 - CVE-2026-43457 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43457
Vulnerability Analysis
The Management Component Transport Protocol over I2C provides a transport for platform management traffic between devices such as baseboard management controllers and host CPUs. The mctp-i2c driver allocates an sk_buff for each inbound frame and hands it to netif_rx() for delivery to the network stack.
The receive handler checks the per-device midev->allow_rx flag before forwarding the frame. When the flag is false, the driver drops the packet without passing ownership to netif_rx(). The original code path neglected to call kfree_skb() on the allocated buffer in this branch, producing a memory leak that scales with the volume of received traffic.
Root Cause
The root cause is an unbalanced ownership transfer of an sk_buff. The netif_rx() function takes ownership of the buffer and is responsible for freeing it, but only when invoked. The early-exit branch covering allow_rx == false returns without freeing the buffer it allocated, satisfying the definition of a memory leak [CWE-401].
Attack Vector
A local or adjacent attacker capable of generating MCTP frames on an I2C bus attached to a vulnerable host can force the driver into the leaking branch. On systems where allow_rx is disabled by configuration, every received frame consumes kernel memory that is never reclaimed. Continuous traffic eventually exhausts memory and degrades or crashes the host. The vulnerability does not enable code execution or data disclosure.
No public proof-of-concept code is required to trigger the condition. The fix consists of adding an explicit kfree_skb() call on the drop path. The patches are tracked under the Linux kernel commits 0fb2adb, 1b1be32, 1ec5418, 9f81be2, d7900a4, and e3f5e0f.
Detection Methods for CVE-2026-43457
Indicators of Compromise
- Steady growth of kernel slab allocations attributed to skbuff_head_cache on hosts using MCTP over I2C
- Rising MemAvailable pressure correlated with active mctp-i2c interfaces while allow_rx is disabled
- Out-of-memory killer events on management controllers or hosts running BMC-side MCTP stacks
Detection Strategies
- Inventory hosts that load the mctp-i2c kernel module and record their kernel build identifiers
- Compare installed kernel versions against the stable branches that include the referenced fix commits
- Track /proc/slabinfo and /proc/meminfo over time on systems with MCTP traffic to detect anomalous memory growth
Monitoring Recommendations
- Alert on sustained increases in skbuff_head_cache active object counts on production servers
- Forward kernel logs containing MCTP, I2C, or OOM events to a centralized log platform for correlation
- Audit allow_rx settings on MCTP interfaces and confirm they match the intended operational policy
How to Mitigate CVE-2026-43457
Immediate Actions Required
- Identify systems running the mctp-i2c driver and prioritize them for kernel updates
- Apply the upstream stable kernel that incorporates the linked fix commits, or rebuild with the patches backported
- Reboot updated hosts to load the corrected kernel image and clear leaked memory
Patch Information
The fix is committed across multiple stable Linux kernel branches. Reference the Linux kernel stable tree commits 0fb2adb, 1b1be32, 1ec5418, 9f81be2, d7900a4, and e3f5e0f. Consume vendor-packaged kernels from your distribution once they include these commits.
Workarounds
- Unload the mctp-i2c module on hosts that do not require MCTP-over-I2C connectivity
- Restrict physical and logical access to I2C buses to limit the volume of inbound MCTP frames
- Schedule periodic reboots of unpatched hosts to reclaim leaked kernel memory until updates can be applied
# Verify whether the mctp-i2c module is in use and inspect related interfaces
lsmod | grep mctp_i2c
ip link show type mctp
# Temporarily remove the module on hosts that do not need MCTP-over-I2C
sudo modprobe -r mctp_i2c
# Confirm the running kernel version after applying the vendor update
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
