Skip to main content

Linux Kernel CVE-2026-43171

| EUVDEUVD-2026-27730 MEDIUM
Integer Underflow (CWE-191)
2026-05-06 Linux GHSA-v6h5-rjwv-4cvj
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 13, 2026 - 15:59 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

EFI/CPER: don't dump the entire memory region

The current logic at cper_print_fw_err() doesn't check if the error record length is big enough to handle offset. On a bad firmware, if the ofset is above the actual record, length -= offset will underflow, making it dump the entire memory.

The end result can be:

  • the logic taking a lot of time dumping large regions of memory;
  • data disclosure due to the memory dumps;
  • an OOPS, if it tries to dump an unmapped memory region.

Fix it by checking if the section length is too small before doing a hex dump.

[ rjw: Subject tweaks ]

AnalysisAI

Integer underflow in the Linux kernel's EFI/CPER firmware error logging function (cper_print_fw_err) allows local authenticated attackers to trigger denial of service via memory dump of unmapped regions, disclose kernel memory contents, or cause system crash when processing malformed EFI firmware error records with invalid offsets. The vulnerability stems from insufficient validation of error record length before subtracting an offset, causing integer wraparound that permits dumping of arbitrary kernel memory regions.

Technical ContextAI

The vulnerability exists in the EFI/CPER (Unified Extensible Firmware Interface / Platform Specific Error Record) firmware error handling subsystem, specifically in the cper_print_fw_err() function. When the firmware provides an error record with a section offset greater than the actual record length, the kernel code performs length -= offset without prior bounds checking. This integer underflow (CWE-191) causes the length variable to wrap to a very large positive value, subsequently triggering a hex dump of kernel memory far beyond the intended error record boundaries. This is triggered during firmware error reporting, a code path with elevated privilege access that processes untrusted firmware-provided data structures.

RemediationAI

Apply vendor-released kernel patches immediately: Linux 5.10.252+, 5.15.202+, 6.1.165+, 6.6.128+, 6.12.75+, 6.18.16+, 6.19.6+, or 7.0+. System administrators should prioritize patching systems handling firmware error reporting from untrusted sources or in supply-chain environments where firmware integrity cannot be guaranteed. As a compensating control on unpatched systems, disable EFI firmware error reporting at boot time via kernel command-line parameter 'ghes.disable=1' (GHES = Generic Hardware Error Source), though this prevents visibility into actual firmware errors and should only be temporary until patches are applied. No workaround exists for the information disclosure component without disabling the entire EFI error subsystem. Patch application requires kernel rebuild and reboot; most distributions provide pre-built updated kernels through standard package managers.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43171 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy