CVE-2026-43455

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A race condition exists in the mctp flow prepare output() function. The function checks key->dev and may call mctp dev set key() without holding the key->lock, despite the latter being intended for serialization. This occurs during the mctp sendmsg() transmit path via mctp local output() and mctp dst output(). If two CPUs execute this sequence simultaneously, one device reference can be overwritten, leading to a resource leak because mctp dev release key() will only decrease the reference count for one device.

Recommendations Apply the fix that ensures key->lock is held during the key->dev check and the mctp dev set key() call.