External risk intelligence

Linux Kernel could allow external attacker to bypass network authentication

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-43384

An external attacker can exploit a flaw in the Linux kernel by analyzing system response times to guess secret authentication codes. This allows them to impersonate trusted network devices to intercept or inject sensitive data, potentially compromising the integrity of critical communications.

2Halo Surface Signal

Linux Kernel

6.7 to before 6.12.786.13 to before 6.18.196.19 to before 6.19.97.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-43384

The vulnerability exists in the Linux kernel's TCP-AO implementation, which is primarily used to secure infrastructure-level communication like BGP sessions between trusted network peers. These sessions are typically restricted to known endpoints behind internal or private peering controls rather than being exposed as public internet-facing services.

Horizon Alert

Summary of the vulnerability and why it matters

A flaw in the Linux kernel's TCP-AO feature could allow attackers to bypass security checks by exploiting timing differences. This is important because it could compromise the integrity and confidentiality of network communications secured by this feature.

Affects network communications.
Could lead to data compromise.
Requires network access.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability to perform a timing attack against the Linux kernel's TCP Authentication Option (TCP-AO) implementation. By precisely measuring the time it takes for the kernel to process specific network packets, an attacker could potentially deduce information that helps them bypass security controls or gain unauthorized access.

Requires network access.
Targets TCP-AO MAC comparison.
Exploits timing differences.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in the Linux kernel's TCP-AO implementation is unlikely to be widely weaponized. Attackers generally target vulnerabilities that affect a broad range of easily accessible systems or that can be exploited remotely without authentication. TCP-AO is typically used for securing specific, infrastructure-level communication channels rather than general-purpose internet services.

KEV status: Not listed.
Exploitation: No public exploits observed.
Recency: Fixes released in May 2026.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching affected Linux kernel versions, focusing on those with exposed TCP-AO configurations. If immediate patching isn't feasible, implement network segmentation to isolate services using TCP-AO, and enhance monitoring for unusual network traffic patterns related to these services.

Patch Linux kernel to 6.12.78, 6.18.19, or 6.19.9.
Isolate affected systems or networks.
Monitor TCP-AO network activity.

Frequently asked questions

What is the Linux kernel and its TCP-AO feature?

The Linux kernel is the fundamental core of the Linux operating system, managing all hardware and software resources. TCP Authentication Option (TCP-AO) is a security enhancement within the kernel that strengthens network communications by verifying the integrity and authenticity of TCP segments using cryptographic methods to prevent tampering.

How does CVE-2026-43384 compromise network security?

CVE-2026-43384 is a timing attack vulnerability. Attackers can exploit subtle differences in the processing times of network packets to potentially circumvent authentication mechanisms or gain unauthorized access to systems that rely on TCP-AO for security.

What is the weakness class for CVE-2026-43384?

The weakness class for CVE-2026-43384 is a timing attack. This type of vulnerability occurs when an attacker can infer sensitive information by measuring the time it takes for a system to perform a cryptographic operation or process data.

What is the relevance of CVE-2026-43384 to network infrastructure?

This vulnerability impacts the Linux kernel's TCP-AO implementation, which is often used for securing critical infrastructure communications. Exploitation could undermine the integrity and confidentiality of these sensitive network sessions, affecting services like BGP peering between trusted network peers.

What are the recommended actions for mitigating CVE-2026-43384?

To address CVE-2026-43384, it is recommended to patch affected Linux kernel versions to the fixed releases (e.g., 6.12.78, 6.18.19, or 6.19.9). If immediate patching is not possible, consider isolating systems using TCP-AO through network segmentation and implementing enhanced monitoring for anomalous network traffic related to these services.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.