Linux Kernel net_shapers: double free of reply skb after genlmsg_reply()
CVE-2026-43481 Published on May 13, 2026
net-shapers: don't free reply skb after genlmsg_reply()
In the Linux kernel, the following vulnerability has been resolved:
net-shapers: don't free reply skb after genlmsg_reply()
genlmsg_reply() hands the reply skb to netlink, and
netlink_unicast() consumes it on all return paths, whether the
skb is queued successfully or freed on an error path.
net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit()
currently jump to free_msg after genlmsg_reply() fails and call
nlmsg_free(msg), which can hit the same skb twice.
Return the genlmsg_reply() error directly and keep free_msg
only for pre-reply failures.
Products Associated with CVE-2026-43481
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 4b623f9f0f59652ea71fcb27d60b4c3b65126dbb and below 8738dcc844fff7d0157ee775230e95df3b1884d7 is affected.
- Version 4b623f9f0f59652ea71fcb27d60b4c3b65126dbb and below 83f7b54242d0abbfce35a55c01322f50962ed3ee is affected.
- Version 4b623f9f0f59652ea71fcb27d60b4c3b65126dbb and below 57885276cc16a2e2b76282c808a4e84cbecb3aae is affected.
- Version 6.13 is affected.
- Before 6.13 is unaffected.
- Version 6.18.19, <= 6.18.* is unaffected.
- Version 6.19.9, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.