CVE-2026-43249 (GCVE-0-2026-43249)

Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-06 11:28
VLAI?
Title
9p/xen: protect xen_9pfs_front_free against concurrent calls
Summary
In the Linux kernel, the following vulnerability has been resolved: 9p/xen: protect xen_9pfs_front_free against concurrent calls The xenwatch thread can race with other back-end change notifications and call xen_9pfs_front_free() twice, hitting the observed general protection fault due to a double-free. Guard the teardown path so only one caller can release the front-end state at a time, preventing the crash. This is a fix for the following double-free: [ 27.052347] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI [ 27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted 6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none) [ 27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150 [ 27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 55 48 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00 <48> 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42 [ 27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246 [ 27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX: 0000000000000000 [ 27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI: 0000000000000000 [ 27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09: 0000000000000000 [ 27.052393] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e46b68 [ 27.052397] R13: 0000000000000200 R14: 0000000000000000 R15: ffff88800a887040 [ 27.052404] FS: 0000000000000000(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000 [ 27.052408] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4: 0000000000050660 [ 27.052418] Call Trace: [ 27.052420] <TASK> [ 27.052422] xen_9pfs_front_changed+0x5d5/0x720 [ 27.052426] ? xenbus_otherend_changed+0x72/0x140 [ 27.052430] ? __pfx_xenwatch_thread+0x10/0x10 [ 27.052434] xenwatch_thread+0x94/0x1c0 [ 27.052438] ? __pfx_autoremove_wake_function+0x10/0x10 [ 27.052442] kthread+0xf8/0x240 [ 27.052445] ? __pfx_kthread+0x10/0x10 [ 27.052449] ? __pfx_kthread+0x10/0x10 [ 27.052452] ret_from_fork+0x16b/0x1a0 [ 27.052456] ? __pfx_kthread+0x10/0x10 [ 27.052459] ret_from_fork_asm+0x1a/0x30 [ 27.052463] </TASK> [ 27.052465] Modules linked in: [ 27.052471] ---[ end trace 0000000000000000 ]---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a5d00dff97118a32fcf5fec7a4c3f864c4620c4e (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 59e7707492576bdbfa8c1dbe7d90791df31e4773 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bf841d43f7a33d75675ba7f4e214ac1c67913065 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ce8ded2e61f47747e31eeefb44dc24a2160a7e32 (git)
Create a notification for this product.
    Linux Linux Unaffected: 6.12.75 , ≤ 6.12.* (semver)
Unaffected: 6.18.16 , ≤ 6.18.* (semver)
Unaffected: 6.19.6 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/9p/trans_xen.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a5d00dff97118a32fcf5fec7a4c3f864c4620c4e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "59e7707492576bdbfa8c1dbe7d90791df31e4773",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "bf841d43f7a33d75675ba7f4e214ac1c67913065",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ce8ded2e61f47747e31eeefb44dc24a2160a7e32",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/9p/trans_xen.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p/xen: protect xen_9pfs_front_free against concurrent calls\n\nThe xenwatch thread can race with other back-end change notifications\nand call xen_9pfs_front_free() twice, hitting the observed general\nprotection fault due to a double-free. Guard the teardown path so only\none caller can release the front-end state at a time, preventing the\ncrash.\n\nThis is a fix for the following double-free:\n\n[   27.052347] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI\n[   27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted 6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none)\n[   27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150\n[   27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 55 48 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00 \u003c48\u003e 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42\n[   27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246\n[   27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX: 0000000000000000\n[   27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI: 0000000000000000\n[   27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09: 0000000000000000\n[   27.052393] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e46b68\n[   27.052397] R13: 0000000000000200 R14: 0000000000000000 R15: ffff88800a887040\n[   27.052404] FS:  0000000000000000(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000\n[   27.052408] CS:  e030 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4: 0000000000050660\n[   27.052418] Call Trace:\n[   27.052420]  \u003cTASK\u003e\n[   27.052422]  xen_9pfs_front_changed+0x5d5/0x720\n[   27.052426]  ? xenbus_otherend_changed+0x72/0x140\n[   27.052430]  ? __pfx_xenwatch_thread+0x10/0x10\n[   27.052434]  xenwatch_thread+0x94/0x1c0\n[   27.052438]  ? __pfx_autoremove_wake_function+0x10/0x10\n[   27.052442]  kthread+0xf8/0x240\n[   27.052445]  ? __pfx_kthread+0x10/0x10\n[   27.052449]  ? __pfx_kthread+0x10/0x10\n[   27.052452]  ret_from_fork+0x16b/0x1a0\n[   27.052456]  ? __pfx_kthread+0x10/0x10\n[   27.052459]  ret_from_fork_asm+0x1a/0x30\n[   27.052463]  \u003c/TASK\u003e\n[   27.052465] Modules linked in:\n[   27.052471] ---[ end trace 0000000000000000 ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-06T11:28:40.290Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a5d00dff97118a32fcf5fec7a4c3f864c4620c4e"
        },
        {
          "url": "https://git.kernel.org/stable/c/59e7707492576bdbfa8c1dbe7d90791df31e4773"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf841d43f7a33d75675ba7f4e214ac1c67913065"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce8ded2e61f47747e31eeefb44dc24a2160a7e32"
        }
      ],
      "title": "9p/xen: protect xen_9pfs_front_free against concurrent calls",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43249",
    "datePublished": "2026-05-06T11:28:40.290Z",
    "dateReserved": "2026-05-01T14:12:55.996Z",
    "dateUpdated": "2026-05-06T11:28:40.290Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43249\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-06T12:16:45.493\",\"lastModified\":\"2026-05-06T13:07:51.607\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\n9p/xen: protect xen_9pfs_front_free against concurrent calls\\n\\nThe xenwatch thread can race with other back-end change notifications\\nand call xen_9pfs_front_free() twice, hitting the observed general\\nprotection fault due to a double-free. Guard the teardown path so only\\none caller can release the front-end state at a time, preventing the\\ncrash.\\n\\nThis is a fix for the following double-free:\\n\\n[   27.052347] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI\\n[   27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted 6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none)\\n[   27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150\\n[   27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 55 48 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00 \u003c48\u003e 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42\\n[   27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246\\n[   27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX: 0000000000000000\\n[   27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI: 0000000000000000\\n[   27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09: 0000000000000000\\n[   27.052393] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e46b68\\n[   27.052397] R13: 0000000000000200 R14: 0000000000000000 R15: ffff88800a887040\\n[   27.052404] FS:  0000000000000000(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000\\n[   27.052408] CS:  e030 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[   27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4: 0000000000050660\\n[   27.052418] Call Trace:\\n[   27.052420]  \u003cTASK\u003e\\n[   27.052422]  xen_9pfs_front_changed+0x5d5/0x720\\n[   27.052426]  ? xenbus_otherend_changed+0x72/0x140\\n[   27.052430]  ? __pfx_xenwatch_thread+0x10/0x10\\n[   27.052434]  xenwatch_thread+0x94/0x1c0\\n[   27.052438]  ? __pfx_autoremove_wake_function+0x10/0x10\\n[   27.052442]  kthread+0xf8/0x240\\n[   27.052445]  ? __pfx_kthread+0x10/0x10\\n[   27.052449]  ? __pfx_kthread+0x10/0x10\\n[   27.052452]  ret_from_fork+0x16b/0x1a0\\n[   27.052456]  ? __pfx_kthread+0x10/0x10\\n[   27.052459]  ret_from_fork_asm+0x1a/0x30\\n[   27.052463]  \u003c/TASK\u003e\\n[   27.052465] Modules linked in:\\n[   27.052471] ---[ end trace 0000000000000000 ]---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/59e7707492576bdbfa8c1dbe7d90791df31e4773\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a5d00dff97118a32fcf5fec7a4c3f864c4620c4e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bf841d43f7a33d75675ba7f4e214ac1c67913065\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ce8ded2e61f47747e31eeefb44dc24a2160a7e32\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.