CVE-2026-43303

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/page_alloc: clear page-&gt;private in free_pages_prepare()<br /> <br /> Several subsystems (slub, shmem, ttm, etc.) use page-&gt;private but don&amp;#39;t<br /> clear it before freeing pages. When these pages are later allocated as<br /> high-order pages and split via split_page(), tail pages retain stale<br /> page-&gt;private values.<br /> <br /> This causes a use-after-free in the swap subsystem. The swap code uses<br /> page-&gt;private to track swap count continuations, assuming freshly<br /> allocated pages have page-&gt;private == 0. When stale values are present,<br /> swap_count_continued() incorrectly assumes the continuation list is valid<br /> and iterates over uninitialized page-&gt;lru containing LIST_POISON values,<br /> causing a crash:<br /> <br /> KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]<br /> RIP: 0010:__do_sys_swapoff+0x1151/0x1860<br /> <br /> Fix this by clearing page-&gt;private in free_pages_prepare(), ensuring all<br /> freed pages have clean state regardless of previous use.