HIGH
net-shapers Netlink DoubleFree
CVE-2026-43481
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.2MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: net-shapers: don't free reply skb after genlmsg_reply() genlmsg_reply() hands the reply skb to netlink, and netlink_unicast() consumes it on all return paths, whether the skb is queued successfully or freed on an error path. net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit() currently jump to free_msg after genlmsg_reply() fails and call nlmsg_free(msg), which can hit the same skb twice. Return the genlmsg_reply() error directly and keep free_msg only for pre-reply failures.
02KernelScan AI Analysis
Risk summary
A double-free vulnerability in the net-shapers netlink implementation can cause kernel memory corruption when genlmsg_reply() fails. This affects systems using network traffic shaping and could lead to kernel crashes or potential privilege escalation through memory corruption. Exploitation requires local access to send netlink messages.
Vulnerability analysis
The vulnerability occurs in net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit() functions where error handling incorrectly attempts to free an skb after genlmsg_reply() has already consumed it. When genlmsg_reply() fails, the code jumps to the free_msg label and calls nlmsg_free() on the same skb that netlink_unicast() already freed on its error path, creating a double-free condition. The fix removes the problematic error path after genlmsg_reply() and directly returns its result, keeping free_msg only for pre-reply allocation failures. The attack surface is local through netlink operations.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.19 | 8738dcc844ff |
| 6.19 | 6.19.9 | 83f7b54242d0 |
| mainline | 7.0 | 57885276cc16 |