CVE-2026-43050 (GCVE-0-2026-43050)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-02 06:14
VLAI?
Title
atm: lec: fix use-after-free in sock_def_readable()
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm: lec: fix use-after-free in sock_def_readable()
A race condition exists between lec_atm_close() setting priv->lecd
to NULL and concurrent access to priv->lecd in send_to_lecd(),
lec_handle_bridge(), and lec_atm_send(). When the socket is freed
via RCU while another thread is still using it, a use-after-free
occurs in sock_def_readable() when accessing the socket's wait queue.
The root cause is that lec_atm_close() clears priv->lecd without
any synchronization, while callers dereference priv->lecd without
any protection against concurrent teardown.
Fix this by converting priv->lecd to an RCU-protected pointer:
- Mark priv->lecd as __rcu in lec.h
- Use rcu_assign_pointer() in lec_atm_close() and lecd_attach()
for safe pointer assignment
- Use rcu_access_pointer() for NULL checks that do not dereference
the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and
lecd_attach()
- Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(),
lec_handle_bridge() and lec_atm_send() to safely access lecd
- Use rcu_assign_pointer() followed by synchronize_rcu() in
lec_atm_close() to ensure all readers have completed before
proceeding. This is safe since lec_atm_close() is called from
vcc_release() which holds lock_sock(), a sleeping lock.
- Remove the manual sk_receive_queue drain from lec_atm_close()
since vcc_destroy_socket() already drains it after lec_atm_close()
returns.
v2: Switch from spinlock + sock_hold/put approach to RCU to properly
fix the race. The v1 spinlock approach had two issues pointed out
by Eric Dumazet:
1. priv->lecd was still accessed directly after releasing the
lock instead of using a local copy.
2. The spinlock did not prevent packets being queued after
lec_atm_close() drains sk_receive_queue since timer and
workqueue paths bypass netif_stop_queue().
Note: Syzbot patch testing was attempted but the test VM terminated
unexpectedly with "Connection to localhost closed by remote host",
likely due to a QEMU AHCI emulation issue unrelated to this fix.
Compile testing with "make W=1 net/atm/lec.o" passes cleanly.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3e8b25f32f2f35549d03d77da030a24a45bdef5b
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 750a33f417f3d196b86375f8d9f8938bacf130fe (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 317843d5355062020649124eb4a0d7acbcc3f53e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b256d055da47258e63f8b40965f276c5f23d229a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3989740fa4978e1d2d51ecc62be1b01093e104ad (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < abc10f85a3965ac14b9ed7ad3e67b35604a63aa3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5fbbb1ff936d7ff9528d929c1549977e8123d8a8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 922814879542c2e397b0e9641fd36b8202a8e555 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/atm/lec.c",
"net/atm/lec.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e8b25f32f2f35549d03d77da030a24a45bdef5b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "750a33f417f3d196b86375f8d9f8938bacf130fe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "317843d5355062020649124eb4a0d7acbcc3f53e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b256d055da47258e63f8b40965f276c5f23d229a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3989740fa4978e1d2d51ecc62be1b01093e104ad",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "abc10f85a3965ac14b9ed7ad3e67b35604a63aa3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5fbbb1ff936d7ff9528d929c1549977e8123d8a8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "922814879542c2e397b0e9641fd36b8202a8e555",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/atm/lec.c",
"net/atm/lec.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: lec: fix use-after-free in sock_def_readable()\n\nA race condition exists between lec_atm_close() setting priv-\u003elecd\nto NULL and concurrent access to priv-\u003elecd in send_to_lecd(),\nlec_handle_bridge(), and lec_atm_send(). When the socket is freed\nvia RCU while another thread is still using it, a use-after-free\noccurs in sock_def_readable() when accessing the socket\u0027s wait queue.\n\nThe root cause is that lec_atm_close() clears priv-\u003elecd without\nany synchronization, while callers dereference priv-\u003elecd without\nany protection against concurrent teardown.\n\nFix this by converting priv-\u003elecd to an RCU-protected pointer:\n- Mark priv-\u003elecd as __rcu in lec.h\n- Use rcu_assign_pointer() in lec_atm_close() and lecd_attach()\n for safe pointer assignment\n- Use rcu_access_pointer() for NULL checks that do not dereference\n the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and\n lecd_attach()\n- Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(),\n lec_handle_bridge() and lec_atm_send() to safely access lecd\n- Use rcu_assign_pointer() followed by synchronize_rcu() in\n lec_atm_close() to ensure all readers have completed before\n proceeding. This is safe since lec_atm_close() is called from\n vcc_release() which holds lock_sock(), a sleeping lock.\n- Remove the manual sk_receive_queue drain from lec_atm_close()\n since vcc_destroy_socket() already drains it after lec_atm_close()\n returns.\n\nv2: Switch from spinlock + sock_hold/put approach to RCU to properly\n fix the race. The v1 spinlock approach had two issues pointed out\n by Eric Dumazet:\n 1. priv-\u003elecd was still accessed directly after releasing the\n lock instead of using a local copy.\n 2. The spinlock did not prevent packets being queued after\n lec_atm_close() drains sk_receive_queue since timer and\n workqueue paths bypass netif_stop_queue().\n\nNote: Syzbot patch testing was attempted but the test VM terminated\n unexpectedly with \"Connection to localhost closed by remote host\",\n likely due to a QEMU AHCI emulation issue unrelated to this fix.\n Compile testing with \"make W=1 net/atm/lec.o\" passes cleanly."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T06:14:36.377Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e8b25f32f2f35549d03d77da030a24a45bdef5b"
},
{
"url": "https://git.kernel.org/stable/c/750a33f417f3d196b86375f8d9f8938bacf130fe"
},
{
"url": "https://git.kernel.org/stable/c/317843d5355062020649124eb4a0d7acbcc3f53e"
},
{
"url": "https://git.kernel.org/stable/c/b256d055da47258e63f8b40965f276c5f23d229a"
},
{
"url": "https://git.kernel.org/stable/c/3989740fa4978e1d2d51ecc62be1b01093e104ad"
},
{
"url": "https://git.kernel.org/stable/c/abc10f85a3965ac14b9ed7ad3e67b35604a63aa3"
},
{
"url": "https://git.kernel.org/stable/c/5fbbb1ff936d7ff9528d929c1549977e8123d8a8"
},
{
"url": "https://git.kernel.org/stable/c/922814879542c2e397b0e9641fd36b8202a8e555"
}
],
"title": "atm: lec: fix use-after-free in sock_def_readable()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43050",
"datePublished": "2026-05-01T14:15:44.542Z",
"dateReserved": "2026-05-01T14:12:55.979Z",
"dateUpdated": "2026-05-02T06:14:36.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-43050",
"date": "2026-05-04",
"epss": "0.00024",
"percentile": "0.06795"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-43050\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-01T15:16:51.403\",\"lastModified\":\"2026-05-01T15:24:14.893\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\natm: lec: fix use-after-free in sock_def_readable()\\n\\nA race condition exists between lec_atm_close() setting priv-\u003elecd\\nto NULL and concurrent access to priv-\u003elecd in send_to_lecd(),\\nlec_handle_bridge(), and lec_atm_send(). When the socket is freed\\nvia RCU while another thread is still using it, a use-after-free\\noccurs in sock_def_readable() when accessing the socket\u0027s wait queue.\\n\\nThe root cause is that lec_atm_close() clears priv-\u003elecd without\\nany synchronization, while callers dereference priv-\u003elecd without\\nany protection against concurrent teardown.\\n\\nFix this by converting priv-\u003elecd to an RCU-protected pointer:\\n- Mark priv-\u003elecd as __rcu in lec.h\\n- Use rcu_assign_pointer() in lec_atm_close() and lecd_attach()\\n for safe pointer assignment\\n- Use rcu_access_pointer() for NULL checks that do not dereference\\n the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and\\n lecd_attach()\\n- Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(),\\n lec_handle_bridge() and lec_atm_send() to safely access lecd\\n- Use rcu_assign_pointer() followed by synchronize_rcu() in\\n lec_atm_close() to ensure all readers have completed before\\n proceeding. This is safe since lec_atm_close() is called from\\n vcc_release() which holds lock_sock(), a sleeping lock.\\n- Remove the manual sk_receive_queue drain from lec_atm_close()\\n since vcc_destroy_socket() already drains it after lec_atm_close()\\n returns.\\n\\nv2: Switch from spinlock + sock_hold/put approach to RCU to properly\\n fix the race. The v1 spinlock approach had two issues pointed out\\n by Eric Dumazet:\\n 1. priv-\u003elecd was still accessed directly after releasing the\\n lock instead of using a local copy.\\n 2. The spinlock did not prevent packets being queued after\\n lec_atm_close() drains sk_receive_queue since timer and\\n workqueue paths bypass netif_stop_queue().\\n\\nNote: Syzbot patch testing was attempted but the test VM terminated\\n unexpectedly with \\\"Connection to localhost closed by remote host\\\",\\n likely due to a QEMU AHCI emulation issue unrelated to this fix.\\n Compile testing with \\\"make W=1 net/atm/lec.o\\\" passes cleanly.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/317843d5355062020649124eb4a0d7acbcc3f53e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3989740fa4978e1d2d51ecc62be1b01093e104ad\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3e8b25f32f2f35549d03d77da030a24a45bdef5b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5fbbb1ff936d7ff9528d929c1549977e8123d8a8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/750a33f417f3d196b86375f8d9f8938bacf130fe\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/922814879542c2e397b0e9641fd36b8202a8e555\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/abc10f85a3965ac14b9ed7ad3e67b35604a63aa3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b256d055da47258e63f8b40965f276c5f23d229a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…