CVE-2026-43216 (GCVE-0-2026-43216)

Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-11 22:20
VLAI?
Title
net: Drop the lock in skb_may_tx_timestamp()
Summary
In the Linux kernel, the following vulnerability has been resolved: net: Drop the lock in skb_may_tx_timestamp() skb_may_tx_timestamp() may acquire sock::sk_callback_lock. The lock must not be taken in IRQ context, only softirq is okay. A few drivers receive the timestamp via a dedicated interrupt and complete the TX timestamp from that handler. This will lead to a deadlock if the lock is already write-locked on the same CPU. Taking the lock can be avoided. The socket (pointed by the skb) will remain valid until the skb is released. The ->sk_socket and ->file member will be set to NULL once the user closes the socket which may happen before the timestamp arrives. If we happen to observe the pointer while the socket is closing but before the pointer is set to NULL then we may use it because both pointer (and the file's cred member) are RCU freed. Drop the lock. Use READ_ONCE() to obtain the individual pointer. Add a matching WRITE_ONCE() where the pointer are cleared.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: b245be1f4db1a0394e4b6eb66059814b46670ac3 , < f3e4cceafad27c9363c33622732f86722846ec6f (git)
Affected: b245be1f4db1a0394e4b6eb66059814b46670ac3 , < e4c6efb3b70ff87f1df99efce2f8893717695718 (git)
Affected: b245be1f4db1a0394e4b6eb66059814b46670ac3 , < 983512f3a87fd8dc4c94dfa6b596b6e57df5aad7 (git)
Create a notification for this product.
Linux Linux Affected: 4.0
Unaffected: 0 , < 4.0 (semver)
Unaffected: 6.18.16 , ≤ 6.18.* (semver)
Unaffected: 6.19.6 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/sock.h",
            "net/core/skbuff.c",
            "net/socket.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f3e4cceafad27c9363c33622732f86722846ec6f",
              "status": "affected",
              "version": "b245be1f4db1a0394e4b6eb66059814b46670ac3",
              "versionType": "git"
            },
            {
              "lessThan": "e4c6efb3b70ff87f1df99efce2f8893717695718",
              "status": "affected",
              "version": "b245be1f4db1a0394e4b6eb66059814b46670ac3",
              "versionType": "git"
            },
            {
              "lessThan": "983512f3a87fd8dc4c94dfa6b596b6e57df5aad7",
              "status": "affected",
              "version": "b245be1f4db1a0394e4b6eb66059814b46670ac3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/sock.h",
            "net/core/skbuff.c",
            "net/socket.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.0"
            },
            {
              "lessThan": "4.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.16",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.6",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Drop the lock in skb_may_tx_timestamp()\n\nskb_may_tx_timestamp() may acquire sock::sk_callback_lock. The lock must\nnot be taken in IRQ context, only softirq is okay. A few drivers receive\nthe timestamp via a dedicated interrupt and complete the TX timestamp\nfrom that handler. This will lead to a deadlock if the lock is already\nwrite-locked on the same CPU.\n\nTaking the lock can be avoided. The socket (pointed by the skb) will\nremain valid until the skb is released. The -\u003esk_socket and -\u003efile\nmember will be set to NULL once the user closes the socket which may\nhappen before the timestamp arrives.\nIf we happen to observe the pointer while the socket is closing but\nbefore the pointer is set to NULL then we may use it because both\npointer (and the file\u0027s cred member) are RCU freed.\n\nDrop the lock. Use READ_ONCE() to obtain the individual pointer. Add a\nmatching WRITE_ONCE() where the pointer are cleared."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:20:14.929Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f3e4cceafad27c9363c33622732f86722846ec6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4c6efb3b70ff87f1df99efce2f8893717695718"
        },
        {
          "url": "https://git.kernel.org/stable/c/983512f3a87fd8dc4c94dfa6b596b6e57df5aad7"
        }
      ],
      "title": "net: Drop the lock in skb_may_tx_timestamp()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43216",
    "datePublished": "2026-05-06T11:28:18.277Z",
    "dateReserved": "2026-05-01T14:12:55.993Z",
    "dateUpdated": "2026-05-11T22:20:14.929Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43216",
      "date": "2026-05-23",
      "epss": "0.00013",
      "percentile": "0.02273"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43216\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-06T12:16:41.190\",\"lastModified\":\"2026-05-11T19:28:01.940\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: Drop the lock in skb_may_tx_timestamp()\\n\\nskb_may_tx_timestamp() may acquire sock::sk_callback_lock. The lock must\\nnot be taken in IRQ context, only softirq is okay. A few drivers receive\\nthe timestamp via a dedicated interrupt and complete the TX timestamp\\nfrom that handler. This will lead to a deadlock if the lock is already\\nwrite-locked on the same CPU.\\n\\nTaking the lock can be avoided. The socket (pointed by the skb) will\\nremain valid until the skb is released. The -\u003esk_socket and -\u003efile\\nmember will be set to NULL once the user closes the socket which may\\nhappen before the timestamp arrives.\\nIf we happen to observe the pointer while the socket is closing but\\nbefore the pointer is set to NULL then we may use it because both\\npointer (and the file\u0027s cred member) are RCU freed.\\n\\nDrop the lock. Use READ_ONCE() to obtain the individual pointer. Add a\\nmatching WRITE_ONCE() where the pointer are cleared.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0\",\"versionEndExcluding\":\"6.18.16\",\"matchCriteriaId\":\"4CA18AF7-4C43-4631-B934-2D645DEF579E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.6\",\"matchCriteriaId\":\"373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F253B622-8837-4245-BCE5-A7BF8FC76A16\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/983512f3a87fd8dc4c94dfa6b596b6e57df5aad7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e4c6efb3b70ff87f1df99efce2f8893717695718\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f3e4cceafad27c9363c33622732f86722846ec6f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.