Linux Kernel: Double-Free in xen_9pfs_front_free (XEN 9pfs)
CVE-2026-43249 Published on May 6, 2026
9p/xen: protect xen_9pfs_front_free against concurrent calls
In the Linux kernel, the following vulnerability has been resolved:
9p/xen: protect xen_9pfs_front_free against concurrent calls
The xenwatch thread can race with other back-end change notifications
and call xen_9pfs_front_free() twice, hitting the observed general
protection fault due to a double-free. Guard the teardown path so only
one caller can release the front-end state at a time, preventing the
crash.
This is a fix for the following double-free:
[ 27.052347] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI
[ 27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted 6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none)
[ 27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150
[ 27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 55 48 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00 <48> 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42
[ 27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246
[ 27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX: 0000000000000000
[ 27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI: 0000000000000000
[ 27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09: 0000000000000000
[ 27.052393] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e46b68
[ 27.052397] R13: 0000000000000200 R14: 0000000000000000 R15: ffff88800a887040
[ 27.052404] FS: 0000000000000000(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000
[ 27.052408] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4: 0000000000050660
[ 27.052418] Call Trace:
[ 27.052420] <TASK>
[ 27.052422] xen_9pfs_front_changed+0x5d5/0x720
[ 27.052426] ? xenbus_otherend_changed+0x72/0x140
[ 27.052430] ? __pfx_xenwatch_thread+0x10/0x10
[ 27.052434] xenwatch_thread+0x94/0x1c0
[ 27.052438] ? __pfx_autoremove_wake_function+0x10/0x10
[ 27.052442] kthread+0xf8/0x240
[ 27.052445] ? __pfx_kthread+0x10/0x10
[ 27.052449] ? __pfx_kthread+0x10/0x10
[ 27.052452] ret_from_fork+0x16b/0x1a0
[ 27.052456] ? __pfx_kthread+0x10/0x10
[ 27.052459] ret_from_fork_asm+0x1a/0x30
[ 27.052463] </TASK>
[ 27.052465] Modules linked in:
[ 27.052471] ---[ end trace 0000000000000000 ]---
Products Associated with CVE-2026-43249
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version c15fe55d14b3b4ded5af2a3260877460a6ffb8ad and below a5d00dff97118a32fcf5fec7a4c3f864c4620c4e is affected.
- Version c15fe55d14b3b4ded5af2a3260877460a6ffb8ad and below 59e7707492576bdbfa8c1dbe7d90791df31e4773 is affected.
- Version c15fe55d14b3b4ded5af2a3260877460a6ffb8ad and below bf841d43f7a33d75675ba7f4e214ac1c67913065 is affected.
- Version c15fe55d14b3b4ded5af2a3260877460a6ffb8ad and below ce8ded2e61f47747e31eeefb44dc24a2160a7e32 is affected.
- Version be03c4fe72384366fd4077a70966bd3b8fc49013 is affected.
- Version 1ab4de11232e83b875b071aa44d1155634ca8a1e is affected.
- Version 7cc9dbae8a5f73bd555130384ea256018d28f283 is affected.
- Version 3e0359f151ac151abe3fa71040e450ed69cb824b is affected.
- Version 8d3fc907d060c4fb33203e616a395a22083b6566 is affected.
- Version 4f0e9244770f5b75a16d8c0929063cd336926764 is affected.
- Version 5f6a8974e9ef317fe63f88bab1f33070195dd147 is affected.
- Version 4.14.308 and below 4.15 is affected.
- Version 4.19.276 and below 4.20 is affected.
- Version 5.4.235 and below 5.5 is affected.
- Version 5.10.173 and below 5.11 is affected.
- Version 5.15.100 and below 5.16 is affected.
- Version 6.1.18 and below 6.2 is affected.
- Version 6.2.5 and below 6.3 is affected.
- Version 6.3 is affected.
- Before 6.3 is unaffected.
- Version 6.12.75, <= 6.12.* is unaffected.
- Version 6.18.16, <= 6.18.* is unaffected.
- Version 6.19.6, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.