HIGH Published 2026-05-01

mpls Platform Label Race

CVE-2026-43042

CVSS 7.1 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

KernelScan AI7.1HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: mpls: add seqcount to protect the platform_label{,s} pair The RCU-protected codepaths (mpls_forward, mpls_dump_routes) can have an inconsistent view of platform_labels vs platform_label in case of a concurrent resize (resize_platform_label_table, under platform_mutex). This can lead to OOB accesses. This patch adds a seqcount, so that we get a consistent snapshot. Note that mpls_label_ok is also susceptible to this, so the check against RTA_DST in rtm_to_route_config, done outside platform_mutex, is not sufficient. This value gets passed to mpls_label_ok once more in both mpls_route_add and mpls_route_del, so there is no issue, but that additional check must not be removed.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A race condition in MPLS label table management can cause out-of-bounds memory accesses during packet forwarding or route enumeration. This could lead to kernel crashes or potential information disclosure when concurrent operations resize the label table while other processes are accessing it.

Affectednet/mpls/af_mpls.c

Vulnerability analysis

Root Cause: The MPLS forwarding code has a race condition between RCU-protected readers (mpls_forward, mpls_dump_routes) and writers that resize the platform label table (resize_platform_label_table). Readers can observe an inconsistent view where platform_labels (the size) and platform_label (the array pointer) don't match during concurrent table resizing, leading to out-of-bounds array accesses.

Attack Surface: This affects MPLS packet forwarding and route dumping operations. The vulnerability requires MPLS to be enabled and configured with labels. It can be triggered through network packet processing (mpls_forward) or netlink route dump requests (mpls_dump_routes), making it reachable from both network traffic and local netlink operations.

Fix Mechanism: The patch introduces a seqcount (platform_label_seq) protected by the existing platform_mutex to ensure atomic updates of the platform_labels/platform_label pair. Writers use write_seqcount_begin/end around updates, while readers use read_seqcount_begin/retry loops in mpls_platform_label_rcu() to get a consistent snapshot of both values before accessing the array.

03Fix Versions

Branch	Fixed in	Patch commit
6.19	6.19.12	`5bb3caf0bbfb`
mainline	7.0	`629ec78ef860`