CRITICAL Published 2026-05-01

x25 Fragment Double-Free

CVE-2026-43011

CVSS 9.8 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

KernelScan AI9.8CRITICAL

01Description

In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix potential double free of skb When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at line 48 and returns 1 (error). This error propagates back through the call chain: x25_queue_rx_frame returns 1 | v x25_state3_machine receives the return value 1 and takes the else branch at line 278, setting queued=0 and returning 0 | v x25_process_rx_frame returns queued=0 | v x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb) again This would free the same skb twice. Looking at x25_backlog_rcv: net/x25/x25_in.c:x25_backlog_rcv() { ... queued = x25_process_rx_frame(sk, skb); ... if (!queued) kfree_skb(skb); }

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A double-free vulnerability in the X.25 networking protocol can be triggered by sending specially crafted packets that cause memory allocation failures during fragment processing. This could lead to kernel memory corruption, system crashes, or potentially arbitrary code execution with kernel privileges.

Affectednet/x25/x25_in.c

Vulnerability analysis

Root Cause: In x25_queue_rx_frame(), when alloc_skb() fails, the function calls kfree_skb(skb) and returns an error code (1). This error propagates through the call chain (x25_state3_machine -> x25_process_rx_frame -> x25_backlog_rcv), causing x25_backlog_rcv() to see queued=0 and call kfree_skb(skb) again on the same already-freed skb.

Attack Surface: Network-accessible through X.25 protocol stack. Requires ability to send X.25 packets that trigger the fragmentation code path and cause memory allocation failure during fragment reassembly.

Fix Mechanism: The patch removes the kfree_skb(skb) call from x25_queue_rx_frame() when alloc_skb() fails. Now only x25_backlog_rcv() is responsible for freeing the skb when processing fails, eliminating the double-free condition.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.253	`5d0aa038a90b`
5.15	5.15.203	`3f5e30059846`
6.1	6.1.168	`f782dd382203`
6.12	6.12.81	`524371398d84`
6.18	6.18.22	`fa1dbc93530b`
6.19	6.19.12	`c87dd137c0da`
6.6	6.6.134	`143d4fa68ae9`
mainline	7.0	`d10a26aa4d07`