On 8 May 2026 the NVD published CVE-2026-43303, a use-after-free in the Linux kernel’s memory management. The bug doesn’t live in some obscure driver or optional module. It sits in the core page subsystem, so the range of affected machines is wide: servers, desktops, VMs, WSL2 instances on Windows, and just about any container deployment.
What actually breaks
The trouble is in how the kernel recycles memory pages. Several subsystems free pages without first clearing the page->private field. When those pages are reallocated and split, the tail pages keep stale values in page->private. The swap subsystem assumes a freshly allocated page has that field clean, so it reads a leftover value as if it were a valid continuation list. From there it iterates over an uninitialized page->lru containing LIST_POISON markers, and the kernel crashes.
In practice this is a race condition: an object gets freed while references to it are still live, which opens a window to corrupt memory. Depending on the case that means a system crash, or, in the hands of someone who knows how to lay out the right data, a path to privilege escalation. The required access is local; this is not something you exploit over the network.
Who it affects
The vulnerable code has been present since Linux 5.18, all the way through the stable releases that predate the fix. Concretely it covers the maintained branches: 6.1.x up to 6.1.176, 6.6.x up to 6.6.143, 6.12.x up to 6.12.93, 6.18.x up to 6.18.16, and 6.19.x up to 6.19.6. Kernels before 5.18 and the 7.0 series onward are not affected.
Three scenarios deserve attention because they hurt more. WSL2, since it runs a real Linux kernel inside Windows and plenty of people leave it untouched for months. Containers, because they share the host kernel: a bug here reaches everything running on top. And longterm or custom-built kernels, where the patch doesn’t arrive on its own. Android, which also tracks affected kernel branches, falls into the same bucket.
Severity and mitigation
The CVE carries a CVSS 3.1 score of 7.8 (vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), rated high. The good news is there’s no remote vector: you need a local account on the box. The bad news is the surface is large, given how many installs drag along old kernels.
The fix is six commits on kernel.org, published on 8 May and last revised on 19 June 2026. The sensible move is to apply your distribution’s patched kernel:
- On native Linux systems, update with
apt,dnf,yum, orzypperas appropriate, then reboot. - On WSL2, run
wsl --updatefrom Windows to pull the corrected kernel. - On container hosts, update the host kernel (touching the container image is not enough) and, if you use Docker Desktop, update that too.
If you manage longterm kernels or build your own, check that your branch includes the commits before you call yourself covered. A reboot is required for the change to take effect.