CVE-2026-43463 Overview
CVE-2026-43463 is a Linux kernel vulnerability in the rxrpc and afs (Andrew File System) subsystems. The function rxrpc_kernel_lookup_peer() can return error pointers in addition to NULL, but callers only checked for NULL. This insufficient validation can lead to dereferencing an error pointer as a valid object, resulting in kernel memory corruption or a kernel oops. The fix changes rxrpc_kernel_lookup_peer() to return -ENOMEM on allocation failure and updates afs callers to use the IS_ERR() and PTR_ERR() macros to propagate the error code correctly.
Critical Impact
Improper error pointer handling in the Linux kernel's rxrpc and afs subsystems can lead to kernel instability or a denial-of-service condition through invalid pointer dereference.
Affected Products
- Linux kernel (rxrpc subsystem)
- Linux kernel (afs filesystem client)
- Stable kernel branches receiving the referenced commit backports
Discovery Timeline
- 2026-05-08 - CVE-2026-43463 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43463
Vulnerability Analysis
The defect resides in the interaction between the kernel's rxrpc networking layer and the afs filesystem client. The helper rxrpc_kernel_lookup_peer() resolves a peer endpoint for an RxRPC connection. Prior to the fix, callers in afs validated only that the returned pointer was non-NULL before treating it as a usable peer object.
However, the function could also return an ERR_PTR() encoded error value when underlying operations failed. Encoded error pointers occupy the upper region of the kernel address space and are not valid object pointers. Dereferencing such a value causes invalid memory access in kernel context.
This class of bug falls under improper input validation of return values, closely related to null pointer dereference [CWE-476] handling errors. The CVE record does not assign a CWE identifier.
Root Cause
The root cause is incomplete return-value validation. rxrpc_kernel_lookup_peer() had a tri-state return contract — a valid pointer, NULL, or an ERR_PTR() — but documentation and callers treated it as a two-state contract. Allocation failures inside the lookup path produced encoded error pointers that bypassed the NULL check.
Attack Vector
Triggering the defect requires conditions that cause rxrpc_kernel_lookup_peer() to return an error pointer, such as memory allocation failure during peer lookup. A local user generating sustained AFS client activity under memory pressure could reach the vulnerable code path. The defect is not known to be remotely exploitable for code execution and there is no public proof of concept.
No verified exploit code is available for this vulnerability. Refer to the upstream commits for the precise code change. Relevant references include the Kernel Git Commit Fix, the Kernel Git Commit Update, and the Kernel Git Commit Change.
Detection Methods for CVE-2026-43463
Indicators of Compromise
- Kernel oops or BUG: messages referencing rxrpc_kernel_lookup_peer or afs call paths in dmesg.
- Unexplained kernel panics on hosts that mount AFS volumes or use RxRPC services.
- Repeated -ENOMEM propagation errors in AFS client logs that previously crashed older kernels.
Detection Strategies
- Inventory running kernel versions across Linux fleets and identify hosts on branches predating the referenced upstream fix commits.
- Audit systems that load the kafs or rxrpc modules, since unaffected systems do not exercise the vulnerable code paths.
- Correlate kernel crash telemetry with AFS workload spikes or memory pressure events.
Monitoring Recommendations
- Forward dmesg, kdump, and journald kernel logs to a centralized log platform for crash-signature alerting.
- Track memory pressure metrics on hosts running AFS clients to identify conditions that increase exposure.
- Alert on repeated module loads of rxrpc or kafs on systems where AFS is not expected.
How to Mitigate CVE-2026-43463
Immediate Actions Required
- Apply the upstream stable kernel update containing commits 54331c5dcc6d, 4245a79003ad, and d55fa7cd4b19 from your Linux distribution.
- Reboot affected hosts after kernel package installation to load the patched image.
- Restrict AFS mounts to systems that explicitly require them to reduce the exposed code surface.
Patch Information
The fix is upstream in the Linux kernel via three commits: changing rxrpc_kernel_lookup_peer() to return -ENOMEM instead of NULL on allocation failure, and converting afs callers to use IS_ERR() and PTR_ERR(). Consult your distribution's security tracker for the specific package versions that backport these commits. References: Kernel Git Commit Fix, Kernel Git Commit Update, Kernel Git Commit Change.
Workarounds
- Unload the kafs and rxrpc kernel modules on systems that do not require AFS connectivity using modprobe -r kafs rxrpc.
- Blocklist the affected modules in /etc/modprobe.d/ to prevent automatic loading until kernels are patched.
- Limit local user access on hosts that must continue running unpatched kernels with AFS enabled.
# Blocklist rxrpc and kafs modules until a patched kernel is deployed
echo 'blacklist kafs' | sudo tee /etc/modprobe.d/cve-2026-43463.conf
echo 'blacklist rxrpc' | sudo tee -a /etc/modprobe.d/cve-2026-43463.conf
sudo modprobe -r kafs rxrpc 2>/dev/null || true
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
