CVE-2026-43481

In the Linux kernel, the following vulnerability has been resolved:

net-shapers: don't free reply skb after genlmsg reply()

genlmsg reply() hands the reply skb to netlink, and netlink unicast() consumes it on all return paths, whether the skb is queued successfully or freed on an error path.

net shaper nl get doit() and net shaper nl cap get doit() currently jump to free msg after genlmsg reply() fails and call nlmsg free(msg), which can hit the same skb twice.

Return the genlmsg reply() error directly and keep free msg only for pre-reply failures.