CVE-2026-43109

Vulnerability

Details

In the Linux kernel's x86 shadow stack code, the function shstk_pop_sigframe() calls mmap_read_lock_killable() but fails to check its return value. This function can return an error if the lock attempt is interrupted by a signal, and ignoring the error means the function may proceed without holding the mmap read lock, potentially leading to access of inconsistent or unprotected memory [1].

Exploitation

To exploit this, an attacker needs local access and the ability to send signals to a process using shadow stacks. If a signal interrupts the lock acquisition during the execution of shstk_pop_sigframe(), the kernel may manipulate shadow stack state without proper synchronization, leading to a race condition. The complexity is high due to precise timing requirements.

Impact

A successful exploit could result in memory corruption or information disclosure, but the exact impact is limited by the function's role in signal handling. An attacker may be able to cause a denial of service or potentially escalate privileges if combined with other vulnerabilities.

Mitigation

The kernel community has fixed the issue by adding error checking for mmap_read_lock_killable() and marking the relevant functions with __must_check to prevent future oversights. Multiple stable kernel commits address this vulnerability [1][2][3][4]. Users should update to a kernel version that includes these patches.