CVE-2026-43373
Description
In the Linux kernel, the following vulnerability has been resolved:
net: ncsi: fix skb leak in error paths
Early return paths in NCSI RX and AEN handlers fail to release the received skb, resulting in a memory leak.
Specifically, ncsi_aen_handler() returns on invalid AEN packets without consuming the skb. Similarly, ncsi_rcv_rsp() exits early when failing to resolve the NCSI device, response handler, or request, leaving the skb unfreed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak in Linux kernel NCSI handlers (ncsi_aen_handler and ncsi_rcv_rsp) occurs when early return paths fail to return paths fail to free the received skb.
Vulnerability
Overview
A memory leak vulnerability exists in the Linux kernel's NCSI (Network Controller Sideband Interface) subsystem. The issue is found in two functions: ncsi_aen_handler() and ncsi_rcv_rsp(). In ncsi_aen_handler(), when an invalid AEN (Asynchronous Event Notification) packet is received, the function returns early without freeing the associated socket buffer (skb). Similarly, in ncsi_rcv_rsp(), early exit paths that occur when the NCSI device, response handler, or request cannot be resolved also fail to release the skb, leading to a memory leak [1].
Exploitation and
Impact
An attacker with the ability to send crafted NCSI packets to a vulnerable system could trigger these early return paths repeatedly. This would cause the kernel to leak memory each time, potentially leading to resource exhaustion over time. No authentication is required for this attack, as NCSI packets are typically received over the network. The vulnerability has a CVSS v3 score of 7.5 (High), indicating significant availability impact [1].
Mitigation
The fix is included in the Linux kernel stable tree as commit 81d6aee32f8f7bbc175c05dbf61f4430bfb88c4a. System administrators should apply the latest kernel updates from their distribution to remediate this issue. No workarounds are mentioned in the advisory [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/553366c271479c0d571dd1bb5d1bcde4747fb82envdPatch
- git.kernel.org/stable/c/59962588197863d0d746879f193905c0c6b3df49nvdPatch
- git.kernel.org/stable/c/5c3398a54266541610c8d0a7082e654e9ff3e259nvdPatch
- git.kernel.org/stable/c/81d6aee32f8f7bbc175c05dbf61f4430bfb88c4anvdPatch
- git.kernel.org/stable/c/87138dde2d6937b12b967f28fe598a7d59000ae4nvdPatch
- git.kernel.org/stable/c/9891d7f4f1ede473c54b49776ae07755083eef06nvdPatch
- git.kernel.org/stable/c/b70c4e5e711931cdd56e6e905737b72f1e649189nvdPatch
- git.kernel.org/stable/c/fef5aa6e3bcf3c8053307642663a63b7362d7552nvdPatch
News mentions
0No linked articles in our index yet.