Home

Description

In the Linux kernel, the following vulnerability has been resolved: net-shapers: don't free reply skb after genlmsg_reply() genlmsg_reply() hands the reply skb to netlink, and netlink_unicast() consumes it on all return paths, whether the skb is queued successfully or freed on an error path. net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit() currently jump to free_msg after genlmsg_reply() fails and call nlmsg_free(msg), which can hit the same skb twice. Return the genlmsg_reply() error directly and keep free_msg only for pre-reply failures.

PUBLISHED Reserved 2026-05-01 | Published 2026-05-13 | Updated 2026-05-20 | Assigner Linux




HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Product status

Default status
unaffected

4b623f9f0f59652ea71fcb27d60b4c3b65126dbb (git) before 8738dcc844fff7d0157ee775230e95df3b1884d7
affected

4b623f9f0f59652ea71fcb27d60b4c3b65126dbb (git) before 83f7b54242d0abbfce35a55c01322f50962ed3ee
affected

4b623f9f0f59652ea71fcb27d60b4c3b65126dbb (git) before 57885276cc16a2e2b76282c808a4e84cbecb3aae
affected

Default status
affected

6.13
affected

Any version before 6.13
unaffected

6.18.19 (semver)
unaffected

6.19.9 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/8738dcc844fff7d0157ee775230e95df3b1884d7

git.kernel.org/...c/83f7b54242d0abbfce35a55c01322f50962ed3ee

git.kernel.org/...c/57885276cc16a2e2b76282c808a4e84cbecb3aae

cve.org (CVE-2026-43481)

nvd.nist.gov (CVE-2026-43481)

Download JSON