Skip to main content

Linux Kernel CVE-2026-43108

| EUVDEUVD-2026-27626 MEDIUM
2026-05-06 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 11, 2026 - 17:37 vuln.today
CVSS changed
May 11, 2026 - 17:37 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

soc: qcom: pd-mapper: Fix element length in servreg_loc_pfr_req_ei

It looks element length declared in servreg_loc_pfr_req_ei for reason not matching servreg_loc_pfr_req's reason field due which we could observe decoding error on PD crash.

qmi_decode_string_elem: String len 81 >= Max Len 65

Fix this by matching with servreg_loc_pfr_req's reason field.

AnalysisAI

A denial of service vulnerability in the Linux kernel's Qualcomm PD mapper service registry causes system crashes due to mismatched string element length validation in servreg_loc_pfr_req_ei. When a process daemon crashes and triggers a service registry location request, the QMI decoder rejects the reason field because its declared maximum length (65 bytes) is smaller than the actual field size (81 bytes), causing a decoding error and system halt. This affects all Linux kernel versions prior to the patch, triggered by local processes with standard user privileges.

Technical ContextAI

The vulnerability exists in the Qualcomm PD (Process Domain) mapper driver located in the Linux kernel's SOC (System-on-Chip) subsystem. The issue involves QMI (Qualcomm Message Interface) protocol encoding/decoding for service registry location platform feature requests. Specifically, the servreg_loc_pfr_req_ei structure defines an element information array used to validate and decode incoming QMI messages. The reason field's maximum length was declared as 65 bytes in the element information, but the corresponding servreg_loc_pfr_req structure defines the actual reason field as 81 bytes. This mismatch causes qmi_decode_string_elem to reject valid incoming messages during process daemon crashes, which trigger these requests to the service registry mapper. The root cause is a configuration synchronization failure between two data structures that should define identical field constraints.

RemediationAI

Update to a patched Linux kernel version: 6.19.14, 6.18.24, 6.12.83, 7.0 or newer, or apply the upstream fix from commit c93ca7c5a72e23a83a0b96f7f5c41a7a72f1dc47 (https://git.kernel.org/stable/c/c93ca7c5a72e23a83a0b96f7f5c41a7a72f1dc47). The patch corrects the servreg_loc_pfr_req_ei element length declaration to match the 81-byte maximum of the servreg_loc_pfr_req reason field. For systems unable to update immediately, disable Qualcomm PDR helper support if not required (set CONFIG_QCOM_PDR_HELPER=n at build time), though this will break process daemon restart functionality on affected devices. Alternatively, avoid triggering process daemon crashes on production systems by monitoring PD health and implementing strict process isolation policies. Kernel module rebuild or distribution package upgrade is required; runtime mitigation is not possible.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43108 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy