{"id":"CVE-2026-43455","summary":"mctp: route: hold key-\u003elock in mctp_flow_prepare_output()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmctp: route: hold key-\u003elock in mctp_flow_prepare_output()\n\nmctp_flow_prepare_output() checks key-\u003edev and may call\nmctp_dev_set_key(), but it does not hold key-\u003elock while doing so.\n\nmctp_dev_set_key() and mctp_dev_release_key() are annotated with\n__must_hold(&key-\u003elock), so key-\u003edev access is intended to be\nserialized by key-\u003elock. The mctp_sendmsg() transmit path reaches\nmctp_flow_prepare_output() via mctp_local_output() -\u003e mctp_dst_output()\nwithout holding key-\u003elock, so the check-and-set sequence is racy.\n\nExample interleaving:\n\n  CPU0                                  CPU1\n  ----                                  ----\n  mctp_flow_prepare_output(key, devA)\n    if (!key-\u003edev)  // sees NULL\n                                        mctp_flow_prepare_output(\n                                            key, devB)\n                                          if (!key-\u003edev)  // still NULL\n                                          mctp_dev_set_key(devB, key)\n                                            mctp_dev_hold(devB)\n                                            key-\u003edev = devB\n    mctp_dev_set_key(devA, key)\n      mctp_dev_hold(devA)\n      key-\u003edev = devA   // overwrites devB\n\nNow both devA and devB references were acquired, but only the final\nkey-\u003edev value is tracked for release. One reference can be lost,\ncausing a resource leak as mctp_dev_release_key() would only decrease\nthe reference on one dev.\n\nFix by taking key-\u003elock around the key-\u003edev check and\nmctp_dev_set_key() call.","modified":"2026-07-15T01:49:20.669650486Z","published":"2026-05-08T14:22:19.375Z","related":["SUSE-SU-2026:22099-1","SUSE-SU-2026:22108-1","SUSE-SU-2026:22112-1","SUSE-SU-2026:22117-1","SUSE-SU-2026:22127-1","SUSE-SU-2026:22137-1","SUSE-SU-2026:22433-1","SUSE-SU-2026:22458-1","SUSE-SU-2026:2482-1","SUSE-SU-2026:2591-1","openSUSE-SU-2026:20965-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43455.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0695712f3a6f1a48915f95767cfb42077683dcdc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/47893166bc5611ee9a20de6b8d2933b2320fb772"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7d86aa41c073c4e7eb75fd2e674f1fd8f289728a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/86f5334fcb48a5b611c33364ab52ca684d0f6d91"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8d27d9b260dd19c1b519e1a13de6448f9984e30e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/925a5ffd99cddd7a7e41d5ad120c7a2c6d50260f"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43455.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43455"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"67737c457281dd199ceb9e31b6ba7efd3bfe566d"},{"fixed":"47893166bc5611ee9a20de6b8d2933b2320fb772"},{"fixed":"86f5334fcb48a5b611c33364ab52ca684d0f6d91"},{"fixed":"0695712f3a6f1a48915f95767cfb42077683dcdc"},{"fixed":"925a5ffd99cddd7a7e41d5ad120c7a2c6d50260f"},{"fixed":"8d27d9b260dd19c1b519e1a13de6448f9984e30e"},{"fixed":"7d86aa41c073c4e7eb75fd2e674f1fd8f289728a"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43455.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.167"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.130"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.78"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.19"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.9"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43455.json"}}],"schema_version":"1.7.5"}