Potential Use-After-Free Vulnerability in Linux Kernel Affecting System Performance
CVE-2026-43438

7.8HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-43438?

A vulnerability in the Linux kernel arises from an issue within the cgroup subsystem. When the iterator css_for_each_descendant_pre() is employed, it operates under cgroup_lock() without incrementing the reference counts on the yielded css structures. The improper use of css_put() in the error path of scx_cgroup_init() can lead to a situation where reference counts become unbalanced, resulting in a potential Use-After-Free scenario. This could allow an attacker to exploit the vulnerability, compromising system stability and security.

Affected Version(s)

Linux 8195136669661fdfe54e9a8923c33b31c92fc1da

Linux 8195136669661fdfe54e9a8923c33b31c92fc1da < 6eaaa67d6998f6c30c462b140db8c062e07ec473

Linux 8195136669661fdfe54e9a8923c33b31c92fc1da

References

https://git.kernel.org/stable/c/cc095cd305fddbe25a968e4a7...

https://git.kernel.org/stable/c/6eaaa67d6998f6c30c462b140...

https://git.kernel.org/stable/c/bf50f3285eda8a0173625fcdb...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-43438 Data

JSON