{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-08T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: mm/page_alloc: clear page->private in free_pages_prepare()",
    "id" : "2468091",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2468091"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-909",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmm/page_alloc: clear page->private in free_pages_prepare()\nSeveral subsystems (slub, shmem, ttm, etc.) use page->private but don't\nclear it before freeing pages.  When these pages are later allocated as\nhigh-order pages and split via split_page(), tail pages retain stale\npage->private values.\nThis causes a use-after-free in the swap subsystem.  The swap code uses\npage->private to track swap count continuations, assuming freshly\nallocated pages have page->private == 0.  When stale values are present,\nswap_count_continued() incorrectly assumes the continuation list is valid\nand iterates over uninitialized page->lru containing LIST_POISON values,\ncausing a crash:\nKASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]\nRIP: 0010:__do_sys_swapoff+0x1151/0x1860\nFix this by clearing page->private in free_pages_prepare(), ensuring all\nfreed pages have clean state regardless of previous use.", "A flaw was found in the Linux kernel's memory management subsystem. When pages are freed, the page->private field is not properly cleared. If these pages are later reallocated as high-order pages and split, the tail pages can retain stale page->private values. This can lead to a use-after-free vulnerability in the swap subsystem, where incorrect assumptions about the page->private value can cause the system to crash." ],
  "statement" : "A stale page private value can remain on freed pages and later survive allocation as a high-order page followed by split_page. The swap subsystem assumes newly allocated pages have page private set to zero and may treat the stale value as a valid swap count continuation, leading to traversal of poisoned or invalid list state and a UAF style wild memory access in the swapoff path. For the CVSS the PR:L is used for the paranoid case because a local user may be able to influence allocator state and page reuse even though the direct crash trace involves swapoff. The issue is not network reachable. Impact is at least local denial of service via kernel crash, and in worst case may allow confidentiality or integrity impact due to core memory management corruption.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21557",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "kernel-0:6.12.0-211.18.1.el10_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21556",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-687.12.1.el9_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21556",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-687.12.1.el9_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26515",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.176.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26462",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.176.1.rt14.461.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27735",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.4",
    "package" : "kernel-0:5.14.0-427.132.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27708",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "kernel-0:5.14.0-570.123.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Under investigation",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-43303\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43303\nhttps://lore.kernel.org/linux-cve-announce/2026050857-CVE-2026-43303-dc12@gregkh/T" ],
  "name" : "CVE-2026-43303",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}