CVE-2026-43402

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kthread: consolidate kthread exit paths to prevent use-after-free<br /> <br /> Guillaume reported crashes via corrupted RCU callback function pointers<br /> during KUnit testing. The crash was traced back to the pidfs rhashtable<br /> conversion which replaced the 24-byte rb_node with an 8-byte rhash_head<br /> in struct pid, shrinking it from 160 to 144 bytes.<br /> <br /> struct kthread (without CONFIG_BLK_CGROUP) is also 144 bytes. With<br /> CONFIG_SLAB_MERGE_DEFAULT and SLAB_HWCACHE_ALIGN both round up to<br /> 192 bytes and share the same slab cache. struct pid.rcu.func and<br /> struct kthread.affinity_node both sit at offset 0x78.<br /> <br /> When a kthread exits via make_task_dead() it bypasses kthread_exit() and<br /> misses the affinity_node cleanup. free_kthread_struct() frees the memory<br /> while the node is still linked into the global kthread_affinity_list. A<br /> subsequent list_del() by another kthread writes through dangling list<br /> pointers into the freed and reused memory, corrupting the pid&amp;#39;s<br /> rcu.func pointer.<br /> <br /> Instead of patching free_kthread_struct() to handle the missed cleanup,<br /> consolidate all kthread exit paths. Turn kthread_exit() into a macro<br /> that calls do_exit() and add kthread_do_exit() which is called from<br /> do_exit() for any task with PF_KTHREAD set. This guarantees that<br /> kthread-specific cleanup always happens regardless of the exit path -<br /> make_task_dead(), direct do_exit(), or kthread_exit().<br /> <br /> Replace __to_kthread() with a new tsk_is_kthread() accessor in the<br /> public header. Export do_exit() since module code using the<br /> kthread_exit() macro now needs it directly.