Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-43050— atm: lec: fix use-after-free in sock_def_readable()

EPSS 0.01% · P2
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-43050

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
atm: lec: fix use-after-free in sock_def_readable()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: atm: lec: fix use-after-free in sock_def_readable() A race condition exists between lec_atm_close() setting priv->lecd to NULL and concurrent access to priv->lecd in send_to_lecd(), lec_handle_bridge(), and lec_atm_send(). When the socket is freed via RCU while another thread is still using it, a use-after-free occurs in sock_def_readable() when accessing the socket's wait queue. The root cause is that lec_atm_close() clears priv->lecd without any synchronization, while callers dereference priv->lecd without any protection against concurrent teardown. Fix this by converting priv->lecd to an RCU-protected pointer: - Mark priv->lecd as __rcu in lec.h - Use rcu_assign_pointer() in lec_atm_close() and lecd_attach() for safe pointer assignment - Use rcu_access_pointer() for NULL checks that do not dereference the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and lecd_attach() - Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(), lec_handle_bridge() and lec_atm_send() to safely access lecd - Use rcu_assign_pointer() followed by synchronize_rcu() in lec_atm_close() to ensure all readers have completed before proceeding. This is safe since lec_atm_close() is called from vcc_release() which holds lock_sock(), a sleeping lock. - Remove the manual sk_receive_queue drain from lec_atm_close() since vcc_destroy_socket() already drains it after lec_atm_close() returns. v2: Switch from spinlock + sock_hold/put approach to RCU to properly fix the race. The v1 spinlock approach had two issues pointed out by Eric Dumazet: 1. priv->lecd was still accessed directly after releasing the lock instead of using a local copy. 2. The spinlock did not prevent packets being queued after lec_atm_close() drains sk_receive_queue since timer and workqueue paths bypass netif_stop_queue(). Note: Syzbot patch testing was attempted but the test VM terminated unexpectedly with "Connection to localhost closed by remote host", likely due to a QEMU AHCI emulation issue unrelated to this fix. Compile testing with "make W=1 net/atm/lec.o" passes cleanly.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于atm lec驱动中lec_atm_close函数未同步清除priv->lecd指针,导致并发访问时在sock_def_readable中发生释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ~ 3e8b25f32f2f35549d03d77da030a24a45bdef5b -
LinuxLinux 2.6.12 -

II. Public POCs for CVE-2026-43050

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-43050

登录查看更多情报信息。

Same Patch Batch · Linux · 2026-05-01 · 146 CVEs total

CVE-2026-430119.8 CRITICALnet/x25: Fix potential double free of skb
CVE-2026-317059.8 CRITICALksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
CVE-2026-430379.8 CRITICALip6_tunnel: clear skb2->cb[] in ip4ip6_err()
CVE-2026-430389.8 CRITICALipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
CVE-2026-430399.8 CRITICALnet: ti: icssg-prueth: fix missing data copy and wrong recycle in ZC RX dispatch
CVE-2026-317189.8 CRITICALksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger
CVE-2026-317358.8 HIGHiommupt: Fix short gather if the unmap goes into a large mapping
CVE-2026-430188.8 HIGHBluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt
CVE-2026-317738.8 HIGHBluetooth: SMP: derive legacy responder STK authentication from MITM state
CVE-2026-317398.8 HIGHcrypto: tegra - Add missing CRYPTO_ALG_ASYNC
CVE-2026-317178.8 HIGHksmbd: validate owner of durable handle on reconnect
CVE-2026-317098.8 HIGHsmb: client: validate the whole DACL before rewriting it in cifsacl
CVE-2026-430488.8 HIGHHID: core: Mitigate potential OOB by removing bogus memset()
CVE-2026-317068.8 HIGHksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()
CVE-2026-317128.3 HIGHksmbd: require minimum ACE size in smb_check_perm_dacl()
CVE-2026-317088.1 HIGHsmb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
CVE-2026-317798.1 HIGHwifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()
CVE-2026-430518.1 HIGHHID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
CVE-2026-317718.1 HIGHBluetooth: hci_event: move wake reason storage into validated event handlers
CVE-2026-317727.8 HIGHBluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync

Showing top 20 of 146 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-43050

No comments yet

Leave a comment