HOMEVULNERABILITIESCVE-2026-43260
HIGH

CVE-2026-43260

Published: May 6, 2026· Updated: May 8, 2026

7.8
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:4.7th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: Fix RSS context delete logic

We need to free the corresponding RSS context VNIC

in FW everytime an RSS context is deleted in driver.

Commit 667ac333dbb7 added a check to delete the VNIC

in FW only when netif_running() is true to help delete

RSS contexts with interface down.

Having that condition will make the driver leak VNICs

in FW whenever close() happens with active RSS contexts.

On the subsequent open(), as part of RSS context restoration,

we will end up trying to create extra VNICs for which we

did not make any reservation. FW can fail this request,

thereby making us lose active RSS contexts.

Suppose an RSS context is deleted already and we try to

process a delete request again, then the HWRM functions

will check for validity of the request and they simply

return if the resource is already freed. So, even for

delete-when-down cases, netif_running() check is not

necessary.

Remove the netif_running() condition check when deleting

an RSS context.

NVD Source

Technical Analysis

CVE-2026-43260 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 2 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (4)

Quick Facts

CVE IDCVE-2026-43260
CVSS Score7.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedMay 6, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43260 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.