CVE-2026-43011

net/x25: Fix potential double free of skb

Assigner: Linux
Reserved: 01.05.2026 Published: 01.05.2026 Updated: 01.05.2026

In the Linux kernel, the following vulnerability has been resolved:

net/x25: Fix potential double free of skb

When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at line 48 and returns 1 (error). This error propagates back through the call chain:

x25_queue_rx_frame returns 1 | v x25_state3_machine receives the return value 1 and takes the else branch at line 278, setting queued=0 and returning 0 | v x25_process_rx_frame returns queued=0 | v x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb) again

This would free the same skb twice. Looking at x25_backlog_rcv:

net/x25/x25_in.c:x25_backlog_rcv() { ... queued = x25_process_rx_frame(sk, skb); ... if (!queued) kfree_skb(skb); }

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 5d0aa038a90b30c9bedde0c41c1fdcd98ecb16e9 (excl.) affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 3f5e3005984645bf5bd129c6b13149879580b1fb (excl.) affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to f782dd382203b2a8c4552a628431b7de65a19a7b (excl.) affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 143d4fa68ae9efb83b0c55b12cc7f0d03732a2b1 (excl.) affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 524371398d8463ea7e101fce2cbf3915645d1730 (excl.) affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to fa1dbc93530b34fab0da9862426fe9c918c74dc0 (excl.) affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to c87dd137c0dad07cc55f98181ff380b0c23d2878 (excl.) affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to d10a26aa4d072320530e6968ef945c8c575edf61 (excl.)

Vendor

Linux

Product

Linux

Versions

Default: unaffected

affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 5d0aa038a90b30c9bedde0c41c1fdcd98ecb16e9 (excl.)
affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 3f5e3005984645bf5bd129c6b13149879580b1fb (excl.)
affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to f782dd382203b2a8c4552a628431b7de65a19a7b (excl.)
affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 143d4fa68ae9efb83b0c55b12cc7f0d03732a2b1 (excl.)
affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to 524371398d8463ea7e101fce2cbf3915645d1730 (excl.)
affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to fa1dbc93530b34fab0da9862426fe9c918c74dc0 (excl.)
affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to c87dd137c0dad07cc55f98181ff380b0c23d2878 (excl.)
affected from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to d10a26aa4d072320530e6968ef945c8c575edf61 (excl.)

Vendor	Linux
Product	Linux
Versions	Default: affected Version 2.6.12 is affected unaffected from 0 to 2.6.12 (excl.) unaffected from 5.10.253 to 5.10.* (incl.) unaffected from 5.15.203 to 5.15.* (incl.) unaffected from 6.1.168 to 6.1.* (incl.) unaffected from 6.6.134 to 6.6.* (incl.) unaffected from 6.12.81 to 6.12.* (incl.) unaffected from 6.18.22 to 6.18.* (incl.) unaffected from 6.19.12 to 6.19.* (incl.) unaffected from 7.0 to * (incl.)

Vendor

Linux

Product

Linux

Versions

Default: affected

Version 2.6.12 is affected
unaffected from 0 to 2.6.12 (excl.)
unaffected from 5.10.253 to 5.10.* (incl.)
unaffected from 5.15.203 to 5.15.* (incl.)
unaffected from 6.1.168 to 6.1.* (incl.)
unaffected from 6.6.134 to 6.6.* (incl.)
unaffected from 6.12.81 to 6.12.* (incl.)
unaffected from 6.18.22 to 6.18.* (incl.)
unaffected from 6.19.12 to 6.19.* (incl.)
unaffected from 7.0 to * (incl.)

References

CVE-2026-43011 PUBLISHED

net/x25: Fix potential double free of skb

Product Status

References