{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "c15fe55d14b3b4ded5af2a3260877460a6ffb8ad"
            },
            {
              "fixed": "a5d00dff97118a32fcf5fec7a4c3f864c4620c4e"
            },
            {
              "fixed": "59e7707492576bdbfa8c1dbe7d90791df31e4773"
            },
            {
              "fixed": "bf841d43f7a33d75675ba7f4e214ac1c67913065"
            },
            {
              "fixed": "ce8ded2e61f47747e31eeefb44dc24a2160a7e32"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "be03c4fe72384366fd4077a70966bd3b8fc49013"
            },
            {
              "last_affected": "1ab4de11232e83b875b071aa44d1155634ca8a1e"
            },
            {
              "last_affected": "7cc9dbae8a5f73bd555130384ea256018d28f283"
            },
            {
              "last_affected": "3e0359f151ac151abe3fa71040e450ed69cb824b"
            },
            {
              "last_affected": "8d3fc907d060c4fb33203e616a395a22083b6566"
            },
            {
              "last_affected": "4f0e9244770f5b75a16d8c0929063cd336926764"
            },
            {
              "last_affected": "5f6a8974e9ef317fe63f88bab1f33070195dd147"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "4.14.308"
            },
            {
              "fixed": "4.15"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "4.19.276"
            },
            {
              "fixed": "4.20"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "5.4.235"
            },
            {
              "fixed": "5.5"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "5.10.173"
            },
            {
              "fixed": "5.11"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "5.15.100"
            },
            {
              "fixed": "5.16"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "6.1.18"
            },
            {
              "fixed": "6.2"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "6.2.5"
            },
            {
              "fixed": "6.3"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.3.0"
            },
            {
              "fixed": "6.12.75"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.16"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43249.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p/xen: protect xen_9pfs_front_free against concurrent calls\n\nThe xenwatch thread can race with other back-end change notifications\nand call xen_9pfs_front_free() twice, hitting the observed general\nprotection fault due to a double-free. Guard the teardown path so only\none caller can release the front-end state at a time, preventing the\ncrash.\n\nThis is a fix for the following double-free:\n\n[   27.052347] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI\n[   27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted 6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none)\n[   27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150\n[   27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 55 48 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00 \u003c48\u003e 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42\n[   27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246\n[   27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX: 0000000000000000\n[   27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI: 0000000000000000\n[   27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09: 0000000000000000\n[   27.052393] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e46b68\n[   27.052397] R13: 0000000000000200 R14: 0000000000000000 R15: ffff88800a887040\n[   27.052404] FS:  0000000000000000(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000\n[   27.052408] CS:  e030 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4: 0000000000050660\n[   27.052418] Call Trace:\n[   27.052420]  \u003cTASK\u003e\n[   27.052422]  xen_9pfs_front_changed+0x5d5/0x720\n[   27.052426]  ? xenbus_otherend_changed+0x72/0x140\n[   27.052430]  ? __pfx_xenwatch_thread+0x10/0x10\n[   27.052434]  xenwatch_thread+0x94/0x1c0\n[   27.052438]  ? __pfx_autoremove_wake_function+0x10/0x10\n[   27.052442]  kthread+0xf8/0x240\n[   27.052445]  ? __pfx_kthread+0x10/0x10\n[   27.052449]  ? __pfx_kthread+0x10/0x10\n[   27.052452]  ret_from_fork+0x16b/0x1a0\n[   27.052456]  ? __pfx_kthread+0x10/0x10\n[   27.052459]  ret_from_fork_asm+0x1a/0x30\n[   27.052463]  \u003c/TASK\u003e\n[   27.052465] Modules linked in:\n[   27.052471] ---[ end trace 0000000000000000 ]---",
  "id": "CVE-2026-43249",
  "modified": "2026-07-08T05:39:00.325795289Z",
  "published": "2026-05-06T11:28:40.290Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/59e7707492576bdbfa8c1dbe7d90791df31e4773"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a5d00dff97118a32fcf5fec7a4c3f864c4620c4e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf841d43f7a33d75675ba7f4e214ac1c67913065"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ce8ded2e61f47747e31eeefb44dc24a2160a7e32"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43249.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43249"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "9p/xen: protect xen_9pfs_front_free against concurrent calls"
}