HIGH Published 2026-05-08

net/nexthop GroupEntry UAF

CVE-2026-43374

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI6.3MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: net: nexthop: fix percpu use-after-free in remove_nh_grp_entry When removing a nexthop from a group, remove_nh_grp_entry() publishes the new group via rcu_assign_pointer() then immediately frees the removed entry's percpu stats with free_percpu(). However, the synchronize_net() grace period in the caller remove_nexthop_from_groups() runs after the free. RCU readers that entered before the publish still see the old group and can dereference the freed stats via nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a use-after-free on percpu memory. Fix by deferring the free_percpu() until after synchronize_net() in the caller. Removed entries are chained via nh_list onto a local deferred free list. After the grace period completes and all RCU readers have finished, the percpu stats are safely freed.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Local attackers with low privileges (CAP_NET_ADMIN, obtainable via user namespaces) can trigger a use-after-free in the nexthop subsystem by removing nexthops from a group while traffic is flowing. RCU readers in the packet forwarding path may dereference freed percpu memory, leading to memory corruption and potential system crashes on systems using advanced routing configurations.

Affectednet/ipv4/nexthop.c (nexthop subsystem)

Vulnerability analysis

The vulnerability occurs in remove_nh_grp_entry() which publishes a new nexthop group via rcu_assign_pointer() but immediately frees the removed entry's percpu stats with free_percpu(). However, the synchronize_net() grace period in the caller remove_nexthop_from_groups() runs after the free. RCU readers that entered before the publish still see the old group and can dereference the freed stats via nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a use-after-free on percpu memory. Fix by deferring the free_percpu() until after synchronize_net() in the caller. Removed entries are chained via nh_list onto a local deferred free list. After the grace period completes and all RCU readers have finished, the percpu stats are safely freed.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.78	`abf4feaee640`
6.18	6.18.19	`ab5ebab96642`
6.19	6.19.9	`9e08ad731862`
mainline	7.0	`b2662e7593e9`