CVE-2026-43042
Published: 01 May 2026
Summary
CVE-2026-43042 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the race condition in the MPLS subsystem by applying the kernel patches that add seqcount protection for consistent snapshots of platform_label and platform_labels, preventing OOB accesses.
Enforces least functionality by disabling or restricting non-essential kernel subsystems like MPLS, avoiding exposure to the race condition vulnerability.
Implements memory protection mechanisms that restrict unauthorized access and mitigate the impact of out-of-bounds memory accesses triggered by the inconsistent platform label views.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Race condition enables OOB kernel memory reads (facilitates credential access via T1212) and crashes (T1499.004 Application or System Exploitation).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: mpls: add seqcount to protect the platform_label{,s} pair The RCU-protected codepaths (mpls_forward, mpls_dump_routes) can have an inconsistent view of platform_labels vs platform_label in case of a concurrent resize (resize_platform_label_table, under…
more
platform_mutex). This can lead to OOB accesses. This patch adds a seqcount, so that we get a consistent snapshot. Note that mpls_label_ok is also susceptible to this, so the check against RTA_DST in rtm_to_route_config, done outside platform_mutex, is not sufficient. This value gets passed to mpls_label_ok once more in both mpls_route_add and mpls_route_del, so there is no issue, but that additional check must not be removed.
Deeper analysisAI
CVE-2026-43042 is a race condition vulnerability in the Linux kernel's MPLS (Multiprotocol Label Switching) subsystem. It affects RCU-protected code paths in functions such as mpls_forward and mpls_dump_routes, which can observe an inconsistent view of the platform_labels array versus the platform_label scalar during a concurrent resize of the platform label table (via resize_platform_label_table, protected by platform_mutex). This inconsistency enables out-of-bounds (OOB) memory accesses. The vulnerability also impacts the mpls_label_ok function, where checks against RTA_DST in rtm_to_route_config (outside platform_mutex) are insufficient alone, though additional checks in mpls_route_add and mpls_route_del mitigate issues there.
A local attacker with low privileges (AV:L/PR:L) can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation leads to OOB accesses, resulting in high confidentiality impact through potential exposure of sensitive kernel memory (C:H) and high availability impact via kernel crashes or denial of service (A:H), with no integrity impact (I:N). The CVSS v3.1 base score is 7.1 (S:U).
The provided kernel patch commits resolve the issue by adding a seqcount to protect the platform_label and platform_labels pair, ensuring RCU-protected code paths obtain a consistent snapshot. Security practitioners should apply these stable kernel updates (commits 5bb3caf0bbfb56f1a00d2af072ac3d8395a3b9ef and 629ec78ef8608d955ce217880cdc3e1873af3a15) to mitigate the vulnerability.
Details
- CWE(s)