CVE-2026-43016 in Linux
Zusammenfassung
von VulDB • 23.05.2026
Implied Question: What is the bug described in this KASAN report?
Based on the provided KASAN (Kernel Address Sanitizer) report, here is the analysis of the bug:
### 1. **Bug Type: Use-After-Free (UAF)** The report indicates a **Use-After-Free** vulnerability. This is evident from the structure of the KASAN output: - **"Allocated by task 11013"**: Shows where the memory was originally allocated. - **"Freed by task 15"**: Shows where the memory was freed. - The crash (implied by the register dump at the top) occurred when the memory was accessed *after* it was freed by task 15, but it was still referenced or used by another context (likely task 11013 or a subsequent operation).
### 2. **Affected Object: Socket Inode** - **Allocation Source**: `sock_alloc_inode` (`net/socket.c:316`) - **Call Chain**: - `__sys_socketpair` → `sock_create` → `__sock_create` → `sock_alloc` → `new_inode_pseudo` → `alloc_inode` → `sock_alloc_inode` - This means the freed memory belongs to a **socket inode** (`struct socket` or associated inode structure) created via the `socketpair()` system call.
### 3. **Root Cause Analysis** - **Race Condition or Dangling Pointer**: The socket inode was allocated by task 11013 (likely during `socketpair()` creation). Later, task 15 freed this inode (possibly during socket close/destroy). However, some code path still held a reference to this freed inode and attempted to access it, leading to the crash. - **RCU Context**: The free trace ends with `rcu_do_batch`, suggesting the free was deferred via RCU (Read-Copy-Update). This is common in kernel networking code. The bug likely involves: - A missing RCU grace period wait before accessing the freed object. - Or, a reference count issue where the object was freed prematurely while still in use.
### 4. **Key Registers (for debugging)** - **RAX**: `ffffffffffffffda` → This is `-22` in signed 64-bit, which is `-EINVAL` (Invalid argument). However, in KASAN reports, RAX often holds the faulting address or error code. If this is a page fault, the actual faulting address might be in another register or derived from the crash context. - **RDI**: `0x4` → Often the first argument to the function that crashed. - **RSP**: Points to the stack frame at the time of the crash.
### 5. **Likely Fix Direction** - **Check Reference Counting**: Ensure that the socket inode is not freed while still referenced. Verify `sock_put()` or `inode_put()` calls. - **RCU Synchronization**: If RCU is used, ensure that all readers have exited their RCU critical sections before the object is freed. Use `synchronize_rcu()` or `call_rcu()` appropriately. - **Audit Socketpair Close Path**: Since `socketpair()` creates two connected sockets, ensure that closing one socket doesn’t prematurely free the inode if the other socket still holds a reference.
### Summary **Bug**: Use-After-Free of a socket inode. **Trigger**: Likely a race condition during socket close/destroy involving `socketpair()`. **Fix**: Review reference counting and RCU synchronization in `net/socket.c` and related inode allocation/freeing paths.
Once again VulDB remains the best source for vulnerability data.