Skip to main content

Linux Kernel CVE-2026-43109

| EUVDEUVD-2026-27629 MEDIUM
2026-05-06 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 11, 2026 - 17:38 vuln.today
CVSS changed
May 11, 2026 - 17:37 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

x86: shadow stacks: proper error handling for mmap lock

김영민 reports that shstk_pop_sigframe() doesn't check for errors from mmap_read_lock_killable(), which is a silly oversight, and also shows that we haven't marked those functions with "__must_check", which would have immediately caught it.

So let's fix both issues.

AnalysisAI

Linux kernel shadow stack implementation fails to check for errors from mmap_read_lock_killable() in shstk_pop_sigframe(), allowing a local authenticated attacker to trigger a denial of service by causing the function to proceed with a failed lock acquisition. The vulnerability affects multiple stable kernel versions prior to patched releases 6.18.24, 6.19.14, and 7.0, with EPSS exploitation probability of 0.02% suggesting low real-world exploit likelihood despite the availability of a vendor patch.

Technical ContextAI

Shadow stacks are an x86 security feature in the Linux kernel that protect return addresses from tampering. The shstk_pop_sigframe() function manages shadow stack state during signal frame processing and must safely acquire the memory mapping lock via mmap_read_lock_killable() to prevent concurrent memory region modifications. The vulnerability is a missing error-check on the lock acquisition call - if mmap_read_lock_killable() returns an error (typically -EINTR when interrupted by a signal), the function proceeds as though the lock were held, leading to use-after-free, data corruption, or kernel panic conditions. The CWE classification is absent from provided data but the root cause is improper error handling (CWE-252: Unchecked Return Value) compounded by lack of compiler enforcement via '__must_check' annotations.

RemediationAI

Update to patched kernel versions: Linux 6.18.24 or later, 6.19.14 or later, or 7.0 or later. Distributions should apply the upstream commits c64cebcc5c4f223dbcbe7dcdf74908fc092a0aa4, 262b6d38a81d51b135db81e1f30c13d30e38feee, or 52f657e34d7b21b47434d9d8b26fa7f6778b63a0 (available via https://git.kernel.org/stable/) to their respective stable branches. The fix adds proper error-checking to mmap_read_lock_killable() calls in shstk_pop_sigframe() and marks the function with '__must_check' to prevent future regressions. No workaround is available without code modification; mitigation is limited to restricting local shell access to trusted users only, though this may be impractical in shared systems. Systems with shadow stack support disabled (CONFIG_X86_SHADOW_STACK=n) are unaffected.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43109 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy