CVE-2026-43011
Published: 01 May 2026
Summary
CVE-2026-43011 is a critical-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the double free vulnerability by requiring timely application of the available Linux kernel patches for the X.25 implementation.
Eliminates exposure to the X.25 kernel vulnerability by configuring the system to disable unnecessary networking functionality like the net/x25 module.
Provides kernel memory safeguards such as freelist randomization and guard pages that limit successful exploitation of the double skb free leading to corruption.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote kernel double-free in X.25 stack enables exploitation for privilege escalation via memory corruption (T1068) and exploitation of remote services (T1210).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix potential double free of skb When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at line 48 and returns 1 (error). This error propagates back through the call chain:…
more
x25_queue_rx_frame returns 1 | v x25_state3_machine receives the return value 1 and takes the else branch at line 278, setting queued=0 and returning 0 | v x25_process_rx_frame returns queued=0 | v x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb) again This would free the same skb twice. Looking at x25_backlog_rcv: net/x25/x25_in.c:x25_backlog_rcv() { ... queued = x25_process_rx_frame(sk, skb); ... if (!queued) kfree_skb(skb); }
Deeper analysisAI
CVE-2026-43011 is a vulnerability in the Linux kernel's X.25 networking implementation (net/x25) that results in a potential double free of a socket buffer (skb). The issue occurs when alloc_skb fails in x25_queue_rx_frame, which calls kfree_skb(skb) and returns 1 (error). This error propagates through x25_state3_machine (taking the else branch at line 278, setting queued=0) and x25_process_rx_frame, leading to x25_backlog_rcv calling kfree_skb(skb) again if queued=0.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it exploitable over the network (AV:N) by unauthenticated attackers (PR:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation via X.25 traffic could trigger the double free, enabling high-impact effects on confidentiality, integrity, and availability, such as kernel memory corruption or denial of service.
Patches addressing this issue are available in Linux kernel stable branches via the following commits: https://git.kernel.org/stable/c/143d4fa68ae9efb83b0c55b12cc7f0d03732a2b1, https://git.kernel.org/stable/c/3f5e3005984645bf5bd129c6b13149879580b1fb, https://git.kernel.org/stable/c/524371398d8463ea7e101fce2cbf3915645d1730, https://git.kernel.org/stable/c/5d0aa038a90b30c9bedde0c41c1fdcd98ecb16e9, and https://git.kernel.org/stable/c/c87dd137c0dad07cc55f98181ff380b0c23d2878. Affected systems should apply these updates, particularly if the X.25 module is in use.
Details
- CWE(s)