CVE-2026-43481 Overview
CVE-2026-43481 is a Linux kernel vulnerability in the net-shapers generic netlink (genetlink) subsystem. The flaw is a double-free condition in the reply socket buffer (skb) handling path. Specifically, net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit() jump to a free_msg label after genlmsg_reply() returns an error, then call nlmsg_free(msg) on a buffer that netlink_unicast() already consumed. The kernel maintainers resolved the issue by returning the genlmsg_reply() error directly and reserving free_msg for pre-reply failures.
Critical Impact
A double-free on a netlink reply skb can corrupt kernel slab metadata, leading to memory corruption, kernel panic, or potential local privilege escalation paths.
Affected Products
- Linux kernel versions containing the net-shapers genetlink handlers net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit()
- Distributions shipping the affected stable kernel branches prior to the referenced fix commits
- Systems exposing the net-shapers genetlink interface to local users
Discovery Timeline
- 2026-05-13 - CVE-2026-43481 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43481
Vulnerability Analysis
The vulnerability is a Double Free [CWE-415] in the Linux kernel's net-shapers generic netlink handlers. The functions net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit() build a reply skb, pass it to genlmsg_reply(), and on error jump to a cleanup label that calls nlmsg_free(msg). This logic is incorrect because genlmsg_reply() delegates ownership of the skb to netlink_unicast().
netlink_unicast() consumes the skb on every return path. Whether the message is queued to the receiving socket or freed on error, the caller must not free the buffer again. The cleanup path therefore operates on a skb that has already been released.
Root Cause
The root cause is incorrect ownership handling of the netlink reply skb after a transfer-of-ownership API call. The free_msg label was reused for both pre-reply allocation failures and post-reply error returns. Only the pre-reply case still owns the buffer. The fix splits these paths and returns the genlmsg_reply() error directly without freeing.
Attack Vector
An unprivileged local process that can open an AF_NETLINK socket and issue net-shapers genetlink commands can trigger the affected handlers. Forcing genlmsg_reply() into its error path causes the kernel to free the same slab object twice. Repeated triggering can be used to corrupt the SLUB freelist and pivot toward arbitrary kernel memory write primitives. No remote attack vector is described in the upstream commit.
No verified public exploit code is available. The vulnerability is described in prose only; see the referenced stable tree commits for the exact diff.
Detection Methods for CVE-2026-43481
Indicators of Compromise
- Kernel oops or panic messages referencing nlmsg_free, skb_release_data, or kfree with SLUB double-free diagnostics
- KASAN: double-free or BUG: KASAN: use-after-free reports involving netlink reply paths
- Unexpected crashes in processes invoking net-shapers genetlink families
Detection Strategies
- Enable CONFIG_SLUB_DEBUG and CONFIG_KASAN on test kernels to surface double-free conditions during fuzzing of the netlink interface
- Monitor dmesg and /var/log/kern.log for slab corruption signatures correlated with net-shapers usage
- Audit running kernel versions against the fixed commit hashes 57885276cc16, 83f7b54242d0, and 8738dcc844ff
Monitoring Recommendations
- Track local processes opening NETLINK_GENERIC sockets and issuing net-shaper family commands using auditd rules on the socket and sendmsg syscalls
- Forward kernel ring buffer messages to a centralized log pipeline and alert on slab or KASAN signatures
- Maintain an inventory of kernel build versions across the fleet to identify hosts still running pre-patch kernels
How to Mitigate CVE-2026-43481
Immediate Actions Required
- Apply the upstream stable kernel updates that include commits 57885276cc16a2e2b76282c808a4e84cbecb3aae, 83f7b54242d0abbfce35a55c01322f50962ed3ee, and 8738dcc844fff7d0157ee775230e95df3b1884d7
- Rebuild and reboot affected hosts after installing the patched kernel package from your distribution
- Restrict shell access on multi-tenant systems until patches are deployed
Patch Information
The fix returns the genlmsg_reply() error directly from both net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit(). The free_msg label is retained only for failure paths that occur before ownership of the skb is transferred. Patch references: Kernel commit 57885276cc16, Kernel commit 83f7b54242d0, and Kernel commit 8738dcc844ff.
Workarounds
- Where patching is not yet possible, restrict use of CAP_NET_ADMIN and limit local accounts that can interact with generic netlink families
- Consider seccomp profiles for untrusted workloads that deny socket(AF_NETLINK, ...) calls
- Disable or unload kernel modules exposing the net-shapers interface in environments where the feature is unused
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
