VYPR
← All advisories
High severity7.8NVD Advisory· Published May 13, 2026· Updated May 20, 2026

CVE-2026-43481

CVE-2026-43481

Description

In the Linux kernel, the following vulnerability has been resolved:

net-shapers: don't free reply skb after genlmsg_reply()

genlmsg_reply() hands the reply skb to netlink, and netlink_unicast() consumes it on all return paths, whether the skb is queued successfully or freed on an error path.

net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit() currently jump to free_msg after genlmsg_reply() fails and call nlmsg_free(msg), which can hit the same skb twice.

Return the genlmsg_reply() error directly and keep free_msg only for pre-reply failures.

Affected products

1

Patches

3
8738dcc844ff
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
83f7b54242d0
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
57885276cc16
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit

Vulnerability mechanics

Root cause

"Double-free of a reply skb because genlmsg_reply() already consumes the skb on all return paths, but the error-handling code unconditionally calls nlmsg_free() after a failed genlmsg_reply()."

Attack vector

An attacker sends a crafted netlink GENL request to the net-shapers subsystem, targeting either the net_shaper_nl_get_doit() or net_shaper_nl_cap_get_doit() handler. The kernel constructs a reply skb and calls genlmsg_reply(), which passes the skb to netlink_unicast(). If netlink_unicast() fails (e.g., due to a full socket buffer or a signal), it frees the skb internally. The error path then calls nlmsg_free() on the same skb pointer, triggering a double-free. This can lead to use-after-free corruption or a kernel crash. No authentication is required if the netlink socket is accessible to unprivileged users.

Affected code

The vulnerability is in the net-shapers netlink handlers net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit(). Both functions call genlmsg_reply() and then, on failure, jump to a free_msg label that calls nlmsg_free() on the same skb that genlmsg_reply() already consumed.

What the fix does

The patch changes both net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit() to return the error from genlmsg_reply() directly instead of jumping to the free_msg label. The free_msg label is retained only for failures that occur before genlmsg_reply() is called (e.g., when nlmsg_put() fails). This ensures that the reply skb is never freed twice, because genlmsg_reply() already consumes the skb on every return path of netlink_unicast().

Preconditions

  • networkAttacker must be able to send netlink GENL messages to the net-shapers subsystem
  • inputThe crafted netlink message must trigger a reply that causes netlink_unicast() to fail (e.g., full socket buffer)

Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.