Skip to main content

Linux Kernel CVE-2026-43129

| EUVDEUVD-2026-27690 MEDIUM
2026-05-06 Linux GHSA-rphf-w922-p2vc
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 20:00 vuln.today
CVSS changed
May 08, 2026 - 17:52 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ima: verify the previous kernel's IMA buffer lies in addressable RAM

Patch series "Address page fault in ima_restore_measurement_list()", v3.

When the second-stage kernel is booted via kexec with a limiting command line such as "mem=<size>" we observe a pafe fault that happens.

BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) not-present page

This happens on x86_64 only, as this is already fixed in aarch64 in commit: cbf9c4b9617b ("of: check previous kernel's ima-kexec-buffer against memory bounds")

This patch (of 3):

When the second-stage kernel is booted with a limiting command line (e.g. "mem=<size>"), the IMA measurement buffer handed over from the previous kernel may fall outside the addressable RAM of the new kernel. Accessing such a buffer can fault during early restore.

Introduce a small generic helper, ima_validate_range(), which verifies that a physical [start, end] range for the previous-kernel IMA buffer lies within addressable memory:

  • On x86, use pfn_range_is_mapped().
  • On OF based architectures, use page_is_ram().

AnalysisAI

Linux kernel page fault in ima_restore_measurement_list() when the second-stage kernel is booted via kexec with memory-limiting command lines such as 'mem=<size>' allows local authenticated users to cause a denial of service by triggering an out-of-bounds memory access. The vulnerability occurs on x86_64 architectures when the IMA measurement buffer from the previous kernel falls outside the addressable RAM of the new kernel, resulting in a kernel panic during early IMA restoration.

Technical ContextAI

The vulnerability exists in the Linux kernel's Integrity Measurement Architecture (IMA) subsystem, specifically in the ima_restore_measurement_list() function. When a system is rebooted using kexec with memory constraints (e.g., 'mem=<size>'), the second-stage kernel may have a reduced addressable memory range compared to the previous kernel. The IMA measurement buffer, which is passed from the previous kernel to the new kernel via the kexec mechanism, may be located in physical memory that is no longer addressable by the new kernel. Without proper validation, attempting to access this buffer triggers a page fault (BUG: unable to handle page fault for address). The fix introduces ima_validate_range() helper function that verifies the physical [start, end] range of the IMA buffer against the new kernel's addressable memory using architecture-specific functions: pfn_range_is_mapped() on x86 and page_is_ram() on OF-based architectures (such as ARM64). This validation occurs before attempting to access the buffer, preventing the page fault.

RemediationAI

Upgrade to patched kernel versions: Linux 6.12.77 or later, 6.18.16 or later, 6.19.6 or later, or 7.0 or later, depending on your kernel branch. Apply the fixes from upstream commits f11d7d088f5ed54b31c6735854c12845eb60eb4a, 9e1f51c1ad57cc76a0e8b5eb27038f8973fff4fa, 5366ec7d2f793ce703c403d7fd4c25a3db365b9d, and 10d1c75ed4382a8e79874379caa2ead8952734f9 (available at https://git.kernel.org/stable/c/). Until patching, avoid triggering kexec with memory-limiting command lines (e.g., do not use 'mem=<size>' parameter during kernel reboots) on x86_64 systems with IMA enabled. If memory constraints are necessary for testing or development, either disable IMA in the kernel configuration or ensure the new kernel's addressable memory range encompasses the entire IMA buffer from the previous kernel. Note that the fix introduces a small performance overhead during early boot due to range validation, but this is negligible and essential for system stability.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43129 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy