From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 349343DA7ED for ; Fri, 8 May 2026 14:24:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250272; cv=none; b=LuN4VMxa+3CNmwl+imgDnQWkwDrneLcLs+QvGZ6e2viAN/cvghL0dkDjfBW+UNy96X+DXzfw4iEmFxZ6HBc6JbRbSRyTWqIYfYj29DZmlY2NAlDjoGMd63CtMySpYBbS3B6LuJqjwT01ANEYunKRHWmHbYUEtT7rA4ALoabmI4E= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250272; c=relaxed/simple; bh=/nt1PlQxEVIXtu9BP9UpQonkLdLQCpUtUVBHTY9FZ3I=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=StRWx3FnPgQ4MSXVxlpCG5sOieTuDjMA1fo9k7w3Y2frCls1WoIz6L7lYtzfObRvOGwrepuo7dXc7z+ENtMSOQAF9B8wqUeuCTnP+MBhHlF89POUphQPDa1IpY5dzBqeNH4kPlx91hTm0e/kCZnG6QGJZT7QN7OtOn4MTlsQPgA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=FUlO/wAO; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="FUlO/wAO" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C27E9C2BCB0; Fri, 8 May 2026 14:24:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778250272; bh=/nt1PlQxEVIXtu9BP9UpQonkLdLQCpUtUVBHTY9FZ3I=; h=From:To:Cc:Subject:Date:Reply-To:From; b=FUlO/wAOMvkTLNHEq2Rm22spAVHcphy2d7KZjP8+v1lBr5u1qmZt5WE0X90QG6xJ0 QJFct0wdnQjVZoVSc2youWl5RnNig4kTsTSejTWcZ8/3AZljZZtYNEQcM4yBeiXw4m KrXFgNsNm5+gpKeqv54TFZkZWnThqRCjgBD7x/bM= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43411: tipc: fix divide-by-zero in tipc_sk_filter_connect() Date: Fri, 8 May 2026 16:22:20 +0200 Message-ID: <2026050843-CVE-2026-43411-6074@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4230; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=26eI/WG9bL0EHZHCVdLSDz0SfIySEucSaB7mWHdwfvE=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P5bHefx8t73Ia6VSZmhTr6p0xFSD+YlXej3mKbRY5 r38EX6mI5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTAC4izDBXytO9qvryO78zp0+H vJtrJLrC68ZmhgUHGVfP0Sl9ObGW94aHiNyEnqPTqy8AAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: tipc: fix divide-by-zero in tipc_sk_filter_connect() A user can set conn_timeout to any value via setsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When a SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in tipc_sk_filter_connect() executes: delay %= (tsk->conn_timeout / 4); If conn_timeout is in the range [0, 3], the integer division yields 0, and the modulo operation triggers a divide-by-zero exception, causing a kernel oops/panic. Fix this by clamping conn_timeout to a minimum of 4 at the point of use in tipc_sk_filter_connect(). Oops: divide error: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+ RIP: 0010:tipc_sk_filter_rcv (net/tipc/socket.c:2236 net/tipc/socket.c:2362) Call Trace: tipc_sk_backlog_rcv (include/linux/instrumented.h:82 include/linux/atomic/atomic-instrumented.h:32 include/net/sock.h:2357 net/tipc/socket.c:2406) __release_sock (include/net/sock.h:1185 net/core/sock.c:3213) release_sock (net/core/sock.c:3797) tipc_connect (net/tipc/socket.c:2570) __sys_connect (include/linux/file.h:62 include/linux/file.h:83 net/socket.c:2098) The Linux kernel CVE team has assigned CVE-2026-43411 to this issue. Affected and fixed versions =========================== Issue introduced in 4.20 with commit 6787927475e52f6933e3affce365dabb2aa2fadf and fixed in 5.10.253 with commit 600feb0a66a98c6b7f6f02b5f3612e75f9b8540f Issue introduced in 4.20 with commit 6787927475e52f6933e3affce365dabb2aa2fadf and fixed in 5.15.203 with commit 3bc9998041076ee05d3f312a22cee6b2ca35527f Issue introduced in 4.20 with commit 6787927475e52f6933e3affce365dabb2aa2fadf and fixed in 6.1.167 with commit 579956f9f297eb1b6a5d24de313f3acccee1f9d5 Issue introduced in 4.20 with commit 6787927475e52f6933e3affce365dabb2aa2fadf and fixed in 6.6.130 with commit a360d3815aae1f00dd71b7714a846482e85cc1f7 Issue introduced in 4.20 with commit 6787927475e52f6933e3affce365dabb2aa2fadf and fixed in 6.12.78 with commit c2ebfbe63deb7bfd4dc2532bae62a7ed67713272 Issue introduced in 4.20 with commit 6787927475e52f6933e3affce365dabb2aa2fadf and fixed in 6.18.19 with commit 2754e7b3d64748643df867d1ea6fec522914b635 Issue introduced in 4.20 with commit 6787927475e52f6933e3affce365dabb2aa2fadf and fixed in 6.19.9 with commit 338c5edeb6ae3f12a4b84dff9d71f6f7f8c202c3 Issue introduced in 4.20 with commit 6787927475e52f6933e3affce365dabb2aa2fadf and fixed in 7.0 with commit 6c5a9baa15de240e747263aba435a0951da8d8d2 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43411 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/tipc/socket.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/600feb0a66a98c6b7f6f02b5f3612e75f9b8540f https://git.kernel.org/stable/c/3bc9998041076ee05d3f312a22cee6b2ca35527f https://git.kernel.org/stable/c/579956f9f297eb1b6a5d24de313f3acccee1f9d5 https://git.kernel.org/stable/c/a360d3815aae1f00dd71b7714a846482e85cc1f7 https://git.kernel.org/stable/c/c2ebfbe63deb7bfd4dc2532bae62a7ed67713272 https://git.kernel.org/stable/c/2754e7b3d64748643df867d1ea6fec522914b635 https://git.kernel.org/stable/c/338c5edeb6ae3f12a4b84dff9d71f6f7f8c202c3 https://git.kernel.org/stable/c/6c5a9baa15de240e747263aba435a0951da8d8d2