In the Linux kernel, the following vulnerability has been resolved:
atm: lec: fix use-after-free in sockdefreadable()
A race condition exists between lecatmclose() setting priv->lecd to NULL and concurrent access to priv->lecd in sendtolecd(), lechandlebridge(), and lecatmsend(). When the socket is freed via RCU while another thread is still using it, a use-after-free occurs in sockdefreadable() when accessing the socket's wait queue.
The root cause is that lecatmclose() clears priv->lecd without any synchronization, while callers dereference priv->lecd without any protection against concurrent teardown.
Fix this by converting priv->lecd to an RCU-protected pointer: - Mark priv->lecd as _rcu in lec.h - Use rcuassignpointer() in lecatmclose() and lecdattach() for safe pointer assignment - Use rcuaccesspointer() for NULL checks that do not dereference the pointer in lecstartxmit(), lecpush(), sendtolecd() and lecdattach() - Use rcureadlock/rcudereference/rcureadunlock in sendtolecd(), lechandlebridge() and lecatmsend() to safely access lecd - Use rcuassignpointer() followed by synchronizercu() in lecatmclose() to ensure all readers have completed before proceeding. This is safe since lecatmclose() is called from vccrelease() which holds locksock(), a sleeping lock. - Remove the manual skreceivequeue drain from lecatmclose() since vccdestroysocket() already drains it after lecatmclose() returns.
v2: Switch from spinlock + sockhold/put approach to RCU to properly fix the race. The v1 spinlock approach had two issues pointed out by Eric Dumazet: 1. priv->lecd was still accessed directly after releasing the lock instead of using a local copy. 2. The spinlock did not prevent packets being queued after lecatmclose() drains skreceivequeue since timer and workqueue paths bypass netifstop_queue().
Note: Syzbot patch testing was attempted but the test VM terminated unexpectedly with "Connection to localhost closed by remote host", likely due to a QEMU AHCI emulation issue unrelated to this fix. Compile testing with "make W=1 net/atm/lec.o" passes cleanly.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43050.json",
"cna_assigner": "Linux"
}