HOMEVULNERABILITIESCVE-2026-43249
HIGH

CVE-2026-43249

Published: May 6, 2026· Updated: May 11, 2026

8.8
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:4.7th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

9p/xen: protect xen_9pfs_front_free against concurrent calls

The xenwatch thread can race with other back-end change notifications

and call xen_9pfs_front_free() twice, hitting the observed general

protection fault due to a double-free. Guard the teardown path so only

one caller can release the front-end state at a time, preventing the

crash.

This is a fix for the following double-free:

[ 27.052347] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI

[ 27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted 6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none)

[ 27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150

[ 27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 55 48 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00 <48> 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42

[ 27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246

[ 27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX: 0000000000000000

[ 27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI: 0000000000000000

[ 27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09: 0000000000000000

[ 27.052393] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e46b68

[ 27.052397] R13: 0000000000000200 R14: 0000000000000000 R15: ffff88800a887040

[ 27.052404] FS: 0000000000000000(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000

[ 27.052408] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033

[ 27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4: 0000000000050660

[ 27.052418] Call Trace:

[ 27.052420] <TASK>

[ 27.052422] xen_9pfs_front_changed+0x5d5/0x720

[ 27.052426] ? xenbus_otherend_changed+0x72/0x140

[ 27.052430] ? __pfx_xenwatch_thread+0x10/0x10

[ 27.052434] xenwatch_thread+0x94/0x1c0

[ 27.052438] ? __pfx_autoremove_wake_function+0x10/0x10

[ 27.052442] kthread+0xf8/0x240

[ 27.052445] ? __pfx_kthread+0x10/0x10

[ 27.052449] ? __pfx_kthread+0x10/0x10

[ 27.052452] ret_from_fork+0x16b/0x1a0

[ 27.052456] ? __pfx_kthread+0x10/0x10

[ 27.052459] ret_from_fork_asm+0x1a/0x30

[ 27.052463] </TASK>

[ 27.052465] Modules linked in:

[ 27.052471] ---[ end trace 0000000000000000 ]---

NVD Source

Technical Analysis

CVE-2026-43249 requires adjacent network access, limiting remote exploitation but still posing risk in shared or local network environments.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 8.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorAdjacent
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 1 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (4)

Quick Facts

CVE IDCVE-2026-43249
CVSS Score8.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedMay 6, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43249 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.