HIGH Published 2026-05-06

9p/xen Frontend Race

CVE-2026-43249

CVSS 8.8 / 10.0 NVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

KernelScan AI6.2MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: 9p/xen: protect xen_9pfs_front_free against concurrent calls The xenwatch thread can race with other back-end change notifications and call xen_9pfs_front_free() twice, hitting the observed general protection fault due to a double-free. Guard the teardown path so only one caller can release the front-end state at a time, preventing the crash. This is a fix for the following double-free: [ 27.052347] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI [ 27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted 6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none) [ 27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150 [ 27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 55 48 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00 <48> 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42 [ 27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246 [ 27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX: 0000000000000000 [ 27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI: 0000000000000000 [ 27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09: 0000000000000000 [ 27.052393] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e46b68 [ 27.052397] R13: 0000000000000200 R14: 0000000000000000 R15: ffff88800a887040 [ 27.052404] FS: 0000000000000000(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000 [ 27.052408] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4: 0000000000050660 [ 27.052418] Call Trace: [ 27.052420] <TASK> [ 27.052422] xen_9pfs_front_changed+0x5d5/0x720 [ 27.052426] ? xenbus_otherend_changed+0x72/0x140 [ 27.052430] ? __pfx_xenwatch_thread+0x10/0x10 [ 27.052434] xenwatch_thread+0x94/0x1c0 [ 27.052438] ? __pfx_autoremove_wake_function+0x10/0x10 [ 27.052442] kthread+0xf8/0x240 [ 27.052445] ? __pfx_kthread+0x10/0x10 [ 27.052449] ? __pfx_kthread+0x10/0x10 [ 27.052452] ret_from_fork+0x16b/0x1a0 [ 27.052456] ? __pfx_kthread+0x10/0x10 [ 27.052459] ret_from_fork_asm+0x1a/0x30 [ 27.052463] </TASK> [ 27.052465] Modules linked in: [ 27.052471] ---[ end trace 0000000000000000 ]---

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Systems running Linux guests under Xen hypervisor with 9p filesystem support are at risk of kernel crashes and potential memory corruption. The vulnerability allows concurrent teardown of 9p frontend state via malicious or misbehaving backend state changes, leading to a double-free that can trigger a kernel oops or corrupt heap metadata.

Affectednet/9p/trans_xen.c (9p Xen transport)

Vulnerability analysis

The vulnerability stems from insufficient synchronization in the 9p Xen transport layer's cleanup path. The xenwatch thread can race with other back-end change notifications, causing xen_9pfs_front_free() to be called multiple times on the same frontend structure. This results in a double-free of ring buffers, list structures, and the private device state. In debug builds this manifests as an immediate general protection fault due to poisoned memory; in production kernels the corruption of slab freelists and linked-list pointers can lead to further memory corruption or information disclosure. The fix restructures the teardown sequence to use xen_9pfs_lock consistently, removes the device from the list and clears the driver data under the lock, and adds a NULL check to ensure only one thread can perform cleanup.

03Fix Versions

Branch	Fixed in	Patch commit
4.15	4.15	`a5d00dff9711`
4.20	4.20	`59e770749257`
5.11	5.11	`ce8ded2e61f4`
5.16	5.16	—
5.5	5.5	`bf841d43f7a3`
6.12	6.12.75	—
6.18	6.18.16	—
6.19	6.19.6	—
6.2	6.2	—
6.3	6.3	—
mainline	7.0	—