Skip to main content

Linux Kernel CVE-2026-43145

| EUVDEUVD-2026-27705 MEDIUM
Memory Leak (CWE-401)
2026-05-06 Linux GHSA-7f3f-6h8v-698g
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 11:58 vuln.today
CVSS changed
May 13, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

remoteproc: imx_rproc: Fix invalid loaded resource table detection

imx_rproc_elf_find_loaded_rsc_table() may incorrectly report a loaded resource table even when the current firmware does not provide one.

When the device tree contains a "rsc-table" entry, priv->rsc_table is non-NULL and denotes where a resource table would be located if one is present in memory. However, when the current firmware has no resource table, rproc->table_ptr is NULL. The function still returns priv->rsc_table, and the remoteproc core interprets this as a valid loaded resource table.

Fix this by returning NULL from imx_rproc_elf_find_loaded_rsc_table() when there is no resource table for the current firmware (i.e. when rproc->table_ptr is NULL). This aligns the function's semantics with the remoteproc core: a loaded resource table is only reported when a valid table_ptr exists.

With this change, starting firmware without a resource table no longer triggers a crash.

AnalysisAI

Kernel crash in the Linux remoteproc imx_rproc subsystem (NXP i.MX platform) allows a local authenticated attacker to trigger a denial of service by loading firmware that lacks a resource table. The root cause is imx_rproc_elf_find_loaded_rsc_table() returning a stale non-NULL priv->rsc_table pointer even when rproc->table_ptr is NULL, causing the remoteproc core to dereference what it incorrectly treats as a valid loaded resource table. No public exploit has been identified at time of analysis, and EPSS at 0.02% (7th percentile) reflects the narrow hardware-specific attack surface.

Technical ContextAI

The affected code resides in drivers/remoteproc/imx_rproc.c within the Linux kernel's remoteproc framework, which manages co-processors on NXP i.MX SoCs. The resource table is a shared-memory structure that describes co-processor resources (vrings, carveout memory, etc.) and is located via either firmware ELF sections or device-tree 'rsc-table' entries. When the device tree specifies 'rsc-table', priv->rsc_table is populated at probe time and persists regardless of whether the currently loaded firmware actually exports a resource table (signalled by a non-NULL rproc->table_ptr). The CWE-401 classification (Missing Release of Memory after Effective Lifetime) reflects that the stale pointer continues to be returned and acted upon after its conceptual validity has ended - when the firmware that would have backed it is absent - leading to the remoteproc core operating on corrupt or unmapped memory and crashing. CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* covers the full Linux kernel source tree up to the patched stable branches.

RemediationAI

Upgrade to one of the vendor-released patched stable kernel versions: 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, or 7.0. Fix commits are available at https://git.kernel.org/stable/c/91baf24d972ea3c04a75dd18821c03d223c0dbc0 (6.1 branch), https://git.kernel.org/stable/c/500778df9e4c313190368908ff40c23948508e97 (6.6 branch), https://git.kernel.org/stable/c/26aa5295010ffaebcf8f1991c53fa7cf2ee1b20d (6.12 branch), and additional branch-specific commits referenced by cveorg. Distributions such as Red Hat and SUSE are expected to backport the fix; consult their advisories for RHEL/SLES-specific package versions. As a compensating control where upgrading is not immediately possible, preventing unprivileged users from loading firmware into the remoteproc subsystem (via filesystem permissions on /sys/class/remoteproc/ or disabling the imx_rproc module with 'rmmod imx_rproc' if the co-processor is not in use) will eliminate the attack surface. Note that disabling the module will halt any workload running on the i.MX co-processor.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43145 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy