Skip to main content

Linux Kernel CVE-2026-43141

| EUVDEUVD-2026-27702 HIGH
Out-of-bounds Read (CWE-125)
2026-05-06 Linux GHSA-w255-hqmv-g27g
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 09:05 vuln.today
CVSS changed
May 13, 2026 - 21:07 NVD
7.1 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lut

Number of MW LUTs depends on NTB configuration and can be set to zero, in such scenario rounddown_pow_of_two will cause undefined behaviour and should not be performed. This patch ensures that rounddown_pow_of_two is called on valid value.

AnalysisAI

Local denial-of-service and potential memory corruption in the Linux kernel's ntb_hw_switchtec driver allows a low-privileged local user to trigger undefined behavior via a shift-out-of-bounds condition when the Non-Transparent Bridge (NTB) is configured with zero Memory Window LUTs. The flaw stems from rounddown_pow_of_two being invoked on a zero value, and although no public exploit is identified at time of analysis, the upstream fix is available across multiple stable kernel branches. EPSS is very low at 0.02%, consistent with the local attack vector and narrow hardware-dependent trigger.

Technical ContextAI

The bug resides in drivers/ntb/hw/mscc/ntb_hw_switchtec.c, the driver for Microsemi/Microchip Switchtec PCIe Non-Transparent Bridge devices used in multi-host PCIe interconnect setups. NTB exposes Memory Windows (MWs), and the LUT (Look-Up Table) count varies by hardware configuration. The driver calls rounddown_pow_of_two() on the LUT count, but when configured as zero, the underlying log2 operation produces a shift-out-of-bounds - classified as CWE-125 (out-of-bounds read) in this advisory because the resulting computation can lead to reading uninitialized or adjacent kernel memory regions. This is a classic undefined-behavior pattern flagged by UBSAN on kernels with that sanitizer enabled.

RemediationAI

Vendor-released patch: upgrade to Linux kernel 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, or 7.0 (or later) depending on your branch, applying the upstream commits at git.kernel.org/stable/c/d652ef399f131fcd5f8f34266167449ee7c9e5b3 and the related sibling commits listed in references. For distribution kernels, install the Red Hat or SUSE kernel security update once published. As a compensating control where patching is delayed, blacklist the ntb_hw_switchtec module via /etc/modprobe.d/ (e.g. 'blacklist ntb_hw_switchtec' plus 'install ntb_hw_switchtec /bin/false'), which fully eliminates the attack surface at the cost of disabling Switchtec NTB functionality - only acceptable on systems that do not rely on Switchtec PCIe interconnect. Restricting which local users can interact with NTB device nodes (typically root-owned in /sys/class/ntb/) also reduces exposure but does not address kernel-internal code paths triggered during driver probe.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43141 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy