net/x25: Fix potential double free of skb_CVE-2026-43011

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

net/x25: Fix potential double free of skb

When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at
line 48 and returns 1 (error).
This error propagates back through the call chain:

x25_queue_rx_frame returns 1
|
v
x25_state3_machine receives the return value 1 and takes the else
branch at line 278, setting queued=0 and returning 0
|
v
x25_process_rx_frame returns queued=0
|
v
x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb)
again

This would free the same skb twice. Looking at x25_backlog_rcv:

net/x25/x25_in.c:x25_backlog_rcv() {
...
queued = x25_process_rx_frame(sk, skb);
...
if (!queued)
kfree_skb(skb);
}

AI Analysis

Potential double free of skb in the Linux kernel's x25 module

Basic Information

ID CVE-2026-43011

Source Linux

Published May 1, 2026 at 14:15

Modified May 3, 2026 at 05:46

Affected Product

Vendor Linux

Product Linux

Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Affected Versions Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 2.6.12

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Linux

Product Linux Kernel

Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 2.6.12

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/x25: Fix potential double free of skb\n\nWhen alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at\nline 48 and returns 1 (error).\nThis error propagates back through the call chain:\n\nx25_queue_rx_frame returns 1\n    |\n    v\nx25_state3_machine receives the return value 1 and takes the else\nbranch at line 278, setting queued=0 and returning 0\n    |\n    v\nx25_process_rx_frame returns queued=0\n    |\n    v\nx25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb)\nagain\n\nThis would free the same skb twice. Looking at x25_backlog_rcv:\n\nnet/x25/x25_in.c:x25_backlog_rcv() {\n    ...\n    queued = x25_process_rx_frame(sk, skb);\n    ...\n    if (!queued)\n        kfree_skb(skb);\n}",
    "published": "2026-05-01T14:15:17.597Z",
    "modified": "2026-05-03T05:46:03.430Z",
    "type": "cve",
    "title": "net/x25: Fix potential double free of skb",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/5d0aa038a90b30c9bedde0c41c1fdcd98ecb16e9\nhttps://git.kernel.org/stable/c/3f5e3005984645bf5bd129c6b13149879580b1fb\nhttps://git.kernel.org/stable/c/f782dd382203b2a8c4552a628431b7de65a19a7b\nhttps://git.kernel.org/stable/c/143d4fa68ae9efb83b0c55b12cc7f0d03732a2b1\nhttps://git.kernel.org/stable/c/524371398d8463ea7e101fce2cbf3915645d1730\nhttps://git.kernel.org/stable/c/fa1dbc93530b34fab0da9862426fe9c918c74dc0\nhttps://git.kernel.org/stable/c/c87dd137c0dad07cc55f98181ff380b0c23d2878\nhttps://git.kernel.org/stable/c/d10a26aa4d072320530e6968ef945c8c575edf61",
    "id": "CVE-2026-43011",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 2.6.12",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
    "vendor": "Linux",
    "ai_description": "Potential double free of skb in the Linux kernel's x25 module",
    "ai_severity": "Critical",
    "ai_vendor": "Linux",
    "ai_product": "Linux Kernel",
    "ai_version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, 2.6.12",
    "ai_score": 9.8
}