What is CVE-2026-43496?

CVE-2026-43496 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 2.6.29 onward and patched in 5.10.258, 5.15.209, 6.1.175 and others. CVE-2026-43496 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-43496?

CVE-2026-43496 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2026-43496?

Yes, CVE-2026-43496 has been patched. Fixed versions include 5.10.258, 5.15.209, 6.1.175 and others. If you are running Linux kernel 2.6.29 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-43496 actively exploited?

CVE-2026-43496 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2026-43496

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following: 1a. do a peek() - and when sensing there's an skb the child can offer, then - the child in this case(red) calls its child's (qfq) peek. qfq does the right thing and will return the gso_skb queue packet. Note: if there wasnt a gso_skb entry then qfq will store it there. 1b. invoke a dequeue() on the child (red). And herein lies the problem. - red will call the child's dequeue() which will essentially just try to grab something of qfq's queue. [ 78.667668][ T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [ 78.667927][ T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [ 78.668263][ T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 78.668486][ T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [ 78.668718][ T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [ 78.669312][ T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [ 78.669533][ T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 78.669790][ T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [ 78.670044][ T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [ 78.670297][ T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [ 78.670560][ T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [ 78.670814][ T363] FS: 00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [ 78.671110][ T363] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 78.671324][ T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [ 78.671585][ T363] PKRU: 55555554 [ 78.671713][ T363] Call Trace: [ 78.671843][ T363] <TASK> [ 78.671936][ T363] ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [ 78.672148][ T363] ? __pfx__printk+0x10/0x10 [ 78.672322][ T363] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.672496][ T363] ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [ 78.672706][ T363] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.672875][ T363] ? trace_hardirqs_on+0x19/0x1a0 [ 78.673047][ T363] red_dequeue+0x65/0x270 [sch_red] [ 78.673217][ T363] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.673385][ T363] tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [ 78.673566][ T363] __qdisc_run+0x169/0x1900 The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.

Package Linux Kernel

Published 2026-05-21

Last modified 2026-06-01

Patch available

Yes

Affected versions

Linux kernel versions 2.6.29 and later are affected. Fixed in 5.10.258, 5.15.209, 6.1.175, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3 and their respective stable series.

Affected from

≥ 2.6.29

Fixed in

✓ 5.10.258 5.10.x ✓ 5.15.209 5.15.x ✓ 6.1.175 6.1.x ✓ 6.6.140 6.6.x ✓ 6.12.88 6.12.x ✓ 6.18.30 6.18.x ✓ 7.0.7 7.0.x ✓ 7.1-rc3

References

The following references provide additional information about CVE-2026-43496 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/03b0aaeba082ae981a0dfe96cdd03d02050537a1
Patch
Kernel patch commit
https://git.kernel.org/stable/c/36aa34f42cb6842cf371f3a2d3e855d24fd57a50
Patch
Kernel patch commit
https://git.kernel.org/stable/c/458d5615272d3de535748342eb68ca492343048c
Patch

8 patch commits total View all on NVD

Frequently asked questions

What is CVE-2026-43496?

CVE-2026-43496 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 2.6.29 onward and has been patched in 5.10.258, 5.15.209, 6.1.175 and others. CVE-2026-43496 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2026-43496?

Yes — CVE-2026-43496 has been patched. Fixed versions include 5.10.258, 5.15.209, 6.1.175 and others. If you are running Linux kernel 2.6.29 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-43496 actively exploited?

No — CVE-2026-43496 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.