CVE-2026-43042
Description
In the Linux kernel, the following vulnerability has been resolved:
mpls: add seqcount to protect the platform_label{,s} pair
The RCU-protected codepaths (mpls_forward, mpls_dump_routes) can have an inconsistent view of platform_labels vs platform_label in case of a concurrent resize (resize_platform_label_table, under platform_mutex). This can lead to OOB accesses.
This patch adds a seqcount, so that we get a consistent snapshot.
Note that mpls_label_ok is also susceptible to this, so the check against RTA_DST in rtm_to_route_config, done outside platform_mutex, is not sufficient. This value gets passed to mpls_label_ok once more in both mpls_route_add and mpls_route_del, so there is no issue, but that additional check must not be removed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in the Linux kernel's MPLS subsystem allows out-of-bounds access when platform_label table is resized concurrently with RCU-protected reads.
Vulnerability
Description
CVE-2026-43042 is a race condition in the Linux kernel's MPLS (Multiprotocol Label Switching) implementation. The platform_label and platform_labels variables are protected by RCU for read paths (e.g., mpls_forward, mpls_dump_routes), but a concurrent resize operation (resize_platform_label_table) under platform_mutex can leave the RCU readers with an inconsistent view of the pair. This inconsistency can lead to out-of-bounds (OOB) memory accesses [1][2].
Exploitation
An attacker would need to trigger a race between an RCU-protected read (such as forwarding a packet or dumping routes) and a concurrent resize of the platform label table. The resize is performed under platform_mutex, but the RCU read-side critical sections do not synchronize with that mutex. The vulnerability is local in the sense that it requires the ability to trigger MPLS operations and a resize, but no special privileges beyond those needed to manipulate MPLS routes (e.g., CAP_NET_ADMIN). The race window is tight but exploitable under controlled conditions.
Impact
Successful exploitation could allow an attacker to read or write memory beyond the bounds of the platform_labels array, potentially leading to information disclosure or kernel memory corruption. The official description notes that mpls_label_ok is also susceptible, but the check against RTA_DST in rtm_to_route_config is not sufficient when done outside platform_mutex; however, the additional check inside mpls_route_add and mpls_route_del mitigates that specific path [1].
Mitigation
The fix adds a seqcount to ensure that RCU readers obtain a consistent snapshot of the platform_label/platform_labels pair. The patch has been applied to the stable kernel tree [1][2]. Users should update to a kernel version containing the fix. No workaround is mentioned; the vulnerability is resolved by applying the kernel patch.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8(expand)+ 7 more
- (no CPE)
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=4.1,<6.19.12
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026