CRITICAL
net RPS OOB
CVE-2026-43208
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.9MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: net: do not pass flow_id to set_rps_cpu() Blamed commit made the assumption that the RPS table for each receive queue would have the same size, and that it would not change. Compute flow_id in set_rps_cpu(), do not assume we can use the value computed by get_rps_cpu(). Otherwise we risk out-of-bound access and/or crashes.
02KernelScan AI Analysis
Risk summary
Remote attackers can trigger an out-of-bounds read in the kernel's Receive Flow Steering (RFS) subsystem when RPS flow tables are resized or replaced, potentially leaking slab memory or causing a kernel crash. This affects systems with RFS enabled on network interfaces that process incoming packets.
Vulnerability analysis
The vulnerability stems from commit 48aa30443e52 caching a flow_id in get_rps_cpu() that was computed against one RCU-protected RPS flow table, then passing it to set_rps_cpu() which re-dereferences the per-queue flow table pointer. Between the two RCU reads the table may be replaced (e.g., via sysfs rps_flow_cnt changes) with a smaller allocation, causing the stale flow_id to exceed the new table bounds. The fix removes the cached parameter and recomputes flow_id inside set_rps_cpu() using the table that is actually being accessed. Because the bug lies in the generic packet receive path, it is reachable from remote network traffic on any interface with RFS enabled.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.16 | 5455a232edea |
| 6.19 | 6.19.6 | ed712dc0d64d |
| mainline | 7.0 | 8a8a9fac9efa |