CVE-2026-43050

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A race condition exists in the Linux kernel between the lec atm close() function setting priv->lecd to NULL and concurrent access to priv->lecd within the send to lecd(), lec handle bridge(), and lec atm send() functions. This occurs because lec atm close() clears priv->lecd without synchronization, while other callers dereference it without protection against concurrent teardown. Consequently, if the socket is freed via RCU while another thread is still using it, a use-after-free occurs in the sock def readable() function when accessing the socket's wait queue.

Recommendations Convert priv->lecd to an RCU-protected pointer by marking it as rcu in lec.h and using rcu assign pointer() in lec atm close() and lecd attach(). Use rcu access pointer() for NULL checks in lec start xmit(), lec push(), send to lecd(), and lecd attach(). Implement rcu read lock(), rcu dereference(), and rcu read unlock() in send to lecd(), lec handle bridge(), and lec atm send() to safely access lecd. Apply rcu assign pointer() followed by synchronize rcu() in lec atm close() to ensure all readers have completed before proceeding.