CVE-2026-43244

Source
https://cve.org/CVERecord?id=CVE-2026-43244
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43244.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-43244
Downstream
Published
2026-05-06T11:28:36.946Z
Modified
2026-06-18T03:57:22.103184195Z
Summary
kcm: fix zero-frag skb in frag_list on partial sendmsg error
Details

In the Linux kernel, the following vulnerability has been resolved:

kcm: fix zero-frag skb in frag_list on partial sendmsg error

Syzkaller reported a warning in kcmwritemsgs() when processing a message with a zero-fragment skb in the frag_list.

When kcmsendmsg() fills MAXSKBFRAGS fragments in the current skb, it allocates a new skb (tskb) and links it into the fraglist before copying data. If the copy subsequently fails (e.g. -EFAULT from user memory), tskb remains in the frag_list with zero fragments:

head skb (msg being assembled, NOT yet in skwritequeue) +-----------+ | frags[17] | (MAXSKBFRAGS, all filled with data) | frag_list-+--> tskb +-----------+ +----------+ | frags[0] | (empty! copy failed before filling) +----------+

For SOCKSEQPACKET with partial data already copied, the error path saves this message via partialmessage for later completion. For SOCKSEQPACKET, sockwriteiter() automatically sets MSGEOR, so a subsequent zero-length write(fd, NULL, 0) completes the message and queues it to skwritequeue. kcmwritemsgs() then walks the frag_list and hits:

WARNON(!skbshinfo(skb)->nr_frags)

TCP has a similar pattern where skbs are enqueued before data copy and cleaned up on failure via tcpremoveempty_skb(). KCM was missing the equivalent cleanup.

Fix this by tracking the predecessor skb (fragprev) when allocating a new fraglist entry. On error, if the tail skb has zero frags, use fragprev to unlink and free it in O(1) without walking the singly-linked fraglist. fragprev is safe to dereference because the entire message chain is only held locally (or in kcm->seqskb) and is not added to skwritequeue until MSG_EOR, so the send path cannot free it underneath us.

Also change the WARNON to WARNON_ONCE to avoid flooding the log if the condition is somehow hit repeatedly.

There are currently no KCM selftests in the kernel tree; a simple reproducer is available at [1].

[1] https://gist.github.com/mrpre/a94d431c757e8d6f168f4dd1a3749daa

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43244.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ab7ac4eb9832e32a09f4e8042705484d2fb0aad3
Fixed
9ea3671d70ee07480d80bebe86696397c4e99fb7
Fixed
b1e3edf688a88c1a3ac41657055d9c136a08cd25
Fixed
7af58f76e4b404a74c836881a845e6652db8a09f
Fixed
ca220141fa8ebae09765a242076b2b77338106b0

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43244.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.6.0
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.16
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.6

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43244.json"