Use After Free Affecting kernel-docs-html package, versions <6.12.0-160000.33.1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-SLES1600-KERNELDOCSHTML-17129990
- published2 Jun 2026
- disclosed28 May 2026
Introduced: 28 May 2026
NewCVE-2026-43050 (opens in a new tab)How to fix?
Upgrade SLES:16.0.0 kernel-docs-html to version 6.12.0-160000.33.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-docs-html package and not the kernel-docs-html package as distributed by SLES.
See How to fix? for SLES:16.0.0 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
atm: lec: fix use-after-free in sock_def_readable()
A race condition exists between lec_atm_close() setting priv->lecd to NULL and concurrent access to priv->lecd in send_to_lecd(), lec_handle_bridge(), and lec_atm_send(). When the socket is freed via RCU while another thread is still using it, a use-after-free occurs in sock_def_readable() when accessing the socket's wait queue.
The root cause is that lec_atm_close() clears priv->lecd without any synchronization, while callers dereference priv->lecd without any protection against concurrent teardown.
Fix this by converting priv->lecd to an RCU-protected pointer:
- Mark priv->lecd as __rcu in lec.h
- Use rcu_assign_pointer() in lec_atm_close() and lecd_attach() for safe pointer assignment
- Use rcu_access_pointer() for NULL checks that do not dereference the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and lecd_attach()
- Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(), lec_handle_bridge() and lec_atm_send() to safely access lecd
- Use rcu_assign_pointer() followed by synchronize_rcu() in lec_atm_close() to ensure all readers have completed before proceeding. This is safe since lec_atm_close() is called from vcc_release() which holds lock_sock(), a sleeping lock.
- Remove the manual sk_receive_queue drain from lec_atm_close() since vcc_destroy_socket() already drains it after lec_atm_close() returns.
v2: Switch from spinlock + sock_hold/put approach to RCU to properly fix the race. The v1 spinlock approach had two issues pointed out by Eric Dumazet: 1. priv->lecd was still accessed directly after releasing the lock instead of using a local copy. 2. The spinlock did not prevent packets being queued after lec_atm_close() drains sk_receive_queue since timer and workqueue paths bypass netif_stop_queue().
Note: Syzbot patch testing was attempted but the test VM terminated unexpectedly with "Connection to localhost closed by remote host", likely due to a QEMU AHCI emulation issue unrelated to this fix. Compile testing with "make W=1 net/atm/lec.o" passes cleanly.
References
- https://www.suse.com/security/cve/CVE-2026-43050.html
- https://bugzilla.suse.com/1264082
- https://bugzilla.suse.com/1264083
- https://git.kernel.org/stable/c/317843d5355062020649124eb4a0d7acbcc3f53e
- https://git.kernel.org/stable/c/3989740fa4978e1d2d51ecc62be1b01093e104ad
- https://git.kernel.org/stable/c/3e8b25f32f2f35549d03d77da030a24a45bdef5b
- https://git.kernel.org/stable/c/5fbbb1ff936d7ff9528d929c1549977e8123d8a8
- https://git.kernel.org/stable/c/750a33f417f3d196b86375f8d9f8938bacf130fe
- https://git.kernel.org/stable/c/922814879542c2e397b0e9641fd36b8202a8e555
- https://git.kernel.org/stable/c/abc10f85a3965ac14b9ed7ad3e67b35604a63aa3
- https://git.kernel.org/stable/c/b256d055da47258e63f8b40965f276c5f23d229a