cve-2026-43009

CVE-2026-43009 is a high-severity Linux kernel eBPF verifier flaw disclosed on May 1, 2026, affecting kernel versions 5.12 through before 6.19.12. With a CVSS score of 7.8, a local privileged user could exploit this bug to compromise confidentiality, integrity, and availability. The vulnerability arises from an overly aggressive verifier optimization that incorrectly treats two program states as identical. For Windows users, this bug is relevant because it impacts the Windows Subsystem for Linux (WSL), which relies on the Linux kernel. Discussions on WindowsForum cover the technical details of the flaw and its implications for WSL environments, emphasizing that kernel extension safety depends on the correctness of compiler-like reasoning within the kernel.