What is CVE-2026-43415?

CVE-2026-43415 is a Medium severity Linux kernel vulnerability with a CVSS score of 4.7 out of 10, classified as a Race Condition flaw (CWE-362), affecting Linux kernel versions from 6.6.81 onward and patched in 6.6.130, 6.12.78, 6.18.19 and others. CVE-2026-43415 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-43415?

CVE-2026-43415 has a CVSS score of 4.7 out of 10, rated Medium severity. The vector string is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H.

Is there a patch available for CVE-2026-43415?

Yes, CVE-2026-43415 has been patched. Fixed versions include 6.6.130, 6.12.78, 6.18.19 and others. If you are running Linux kernel 6.6.81 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-43415 actively exploited?

CVE-2026-43415 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is Race Condition (CWE-362)?

The product contains a code sequence that can run concurrently with other code, creating unexpected states. See MITRE CWE for full details: https://cwe.mitre.org/data/definitions/362.html

CVE-2026-43415

Medium

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend In __ufshcd_wl_suspend(), cancel_delayed_work_sync() is called to cancel the UFS RTC work, but it is placed after ufshcd_vops_suspend(hba, pm_op, POST_CHANGE). This creates a race condition where ufshcd_rtc_work() can still be running while ufshcd_vops_suspend() is executing. When UFSHCD_CAP_CLK_GATING is not supported, the condition !hba->clk_gating.active_reqs is always true, causing ufshcd_update_rtc() to be executed. Since ufshcd_vops_suspend() typically performs clock gating operations, executing ufshcd_update_rtc() at that moment triggers an SError. The kernel panic trace is as follows: Kernel panic - not syncing: Asynchronous SError Interrupt Call trace: dump_backtrace+0xec/0x128 show_stack+0x18/0x28 dump_stack_lvl+0x40/0xa0 dump_stack+0x18/0x24 panic+0x148/0x374 nmi_panic+0x3c/0x8c arm64_serror_panic+0x64/0x8c do_serror+0xc4/0xc8 el1h_64_error_handler+0x34/0x4c el1h_64_error+0x68/0x6c el1_interrupt+0x20/0x58 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x68/0x6c ktime_get+0xc4/0x12c ufshcd_mcq_sq_stop+0x4c/0xec ufshcd_mcq_sq_cleanup+0x64/0x1dc ufshcd_clear_cmd+0x38/0x134 ufshcd_issue_dev_cmd+0x298/0x4d0 ufshcd_exec_dev_cmd+0x1a4/0x1c4 ufshcd_query_attr+0xbc/0x19c ufshcd_rtc_work+0x10c/0x1c8 process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x120/0x1d8 ret_from_fork+0x10/0x20 Fix this by moving cancel_delayed_work_sync() before the call to ufshcd_vops_suspend(hba, pm_op, PRE_CHANGE), ensuring the UFS RTC work is fully completed or cancelled at that point.

Package Linux Kernel

Published 2026-05-08

Last modified 2026-05-21

CVSS version 3.1

Patch available

Yes

CVSS 3.1 score

4.7

out of 10

Medium

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Vector string

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Weakness type

CWE-362

CVE-2026-43415 is a Race Condition vulnerability

What is Race Condition?

The product contains a code sequence that can run concurrently with other code, creating unexpected states. Learn more on MITRE CWE

Affected versions

Linux kernel versions 6.6.81, 6.8 and later are affected. Fixed in 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0 and their respective stable series.

Affected from

≥ 6.6.81 ≥ 6.8

Fixed in

✓ 6.6.130 6.6.x ✓ 6.12.78 6.12.x ✓ 6.18.19 6.18.x ✓ 6.19.9 6.19.x ✓ 7.0

References

The following references provide additional information about CVE-2026-43415 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/2fcc2fc21cae7a0cbe73053f7fc70680ce2a7f69
Patch
Kernel patch commit
https://git.kernel.org/stable/c/a6a894413b043704b77a6294c379c93b1477e48d
Patch
Kernel patch commit
https://git.kernel.org/stable/c/b0bd84c39289ef6a6c3827dd52c875659291970a
Patch

5 patch commits total View all on NVD

Details

CVE ID CVE-2026-43415

Severity Medium

CVSS score 4.7 / 10

CVSS version 3.1

Published 2026-05-08

Modified 2026-05-21

KEV No

Patch

Yes

Package linux

Frequently asked questions

What is CVE-2026-43415?

CVE-2026-43415 is a Medium severity Linux kernel vulnerability with a CVSS score of 4.7 out of 10 , classified as a Race Condition flaw (CWE-362) . It affects Linux kernel versions from 6.6.81 onward and has been patched in 6.6.130, 6.12.78, 6.18.19 and others. CVE-2026-43415 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2026-43415?

CVE-2026-43415 has a CVSS score of 4.7 out of 10, rated Medium severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H.
Is there a patch available for CVE-2026-43415?

Yes — CVE-2026-43415 has been patched. Fixed versions include 6.6.130, 6.12.78, 6.18.19 and others. If you are running Linux kernel 6.6.81 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-43415 actively exploited?

No — CVE-2026-43415 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
What is Race Condition (CWE-362)?

The product contains a code sequence that can run concurrently with other code, creating unexpected states. View CWE-362 on MITRE CWE →