CVE-2026-43374

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A use-after-free issue exists in the Linux kernel within the remove nh grp entry() function. The system publishes a new group using rcu assign pointer() and immediately frees the removed entry's percpu stats via free percpu(). Because the synchronize net() grace period occurs after this free operation, RCU readers that entered before the publish can still access the old group and dereference the freed stats through nh grp entry stats inc() and get cpu ptr(nhge->stats), leading to a use-after-free on percpu memory.

Recommendations Defer the free percpu() operation until after the synchronize net() grace period in the caller function by chaining removed entries via nh list onto a local deferred free list.