APPLIED[N/N:HWE-6.17]/Cmnt: [SRU][Q/N][PATCH 0/2] CVE-2026-43198

Stefan Bader stefan.bader at canonical.com
Tue Jul 14 14:53:59 UTC 2026


On 24/06/2026 04:18, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-43198
> 
> [ Impact ]
> 
> In tcp_v6_syn_recv_sock(), code executed after the call to
> tcp_v4_syn_recv_sock() runs too late. By that point the child socket is already
> visible in the TCP ehash table and can be accessed by other CPUs, while
> newinet->pinet6 still points to the listener's ipv6_pinfo. This race can lead
> to use of stale or incorrect socket state, which syzbot was able to trigger.
> Given the high CVSS score of 9.8, this is a serious remotely-reachable issue in
> the TCP stack.
> 
> [ Fix ]
> 
> questing: backported with AI-assisted adaptation
> noble: backported with AI-assisted adaptation
> xenial: backported with AI-assisted adaptation
> 
> [ Test Plan ]
> 
> Boot tested.
> 
> [ Where Problems Could Occur ]
> 
> If the fix is incorrect, regressions would surface in the TCP/IPv6 connection
> establishment path, particularly for IPv4-mapped IPv6 sockets, potentially
> causing connection setup failures or socket state corruption under load.
> 


Applied to noble:linux/master-next and 
noble/linux-hwe-6.17/hwe-6.17-next. Questing is EOL. Thanks.

-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/3d05aabd/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/3d05aabd/attachment-0001.sig>


More information about the kernel-team mailing list