Skip to main content

Linux Kernel CVE-2026-43197

| EUVDEUVD-2026-27758 CRITICAL
Out-of-bounds Read (CWE-125)
2026-05-06 Linux GHSA-25mj-mfqw-xqm2
Critical
Disputed · 9.1 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
CRITICAL
qualitative
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:36 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
9.1 (CRITICAL)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
CRITICAL 9.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netconsole: avoid OOB reads, msg is not nul-terminated

msg passed to netconsole from the console subsystem is not guaranteed to be nul-terminated. Before recent commit 7eab73b18630 ("netconsole: convert to NBCON console infrastructure") the message would be placed in printk_shared_pbufs, a static global buffer, so KASAN had harder time catching OOB accesses. Now we see:

printk: console [netcon_ext0] enabled BUG: KASAN: slab-out-of-bounds in string+0x1f7/0x240 Read of size 1 at addr ffff88813b6d4c00 by task pr/netcon_ext0/594

CPU: 65 UID: 0 PID: 594 Comm: pr/netcon_ext0 Not tainted 6.19.0-11754-g4246fd6547c9 Call Trace: kasan_report+0xe4/0x120 string+0x1f7/0x240 vsnprintf+0x655/0xba0 scnprintf+0xba/0x120 netconsole_write+0x3fe/0xa10 nbcon_emit_next_record+0x46e/0x860 nbcon_kthread_func+0x623/0x750

Allocated by task 1: nbcon_alloc+0x1ea/0x450 register_console+0x26b/0xe10 init_netconsole+0xbb0/0xda0

The buggy address belongs to the object at ffff88813b6d4000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 0 bytes to the right of allocated 3072-byte region [ffff88813b6d4000, ffff88813b6d4c00)

AnalysisAI

Out-of-bounds memory reads in Linux kernel netconsole subsystem allow information disclosure and system crashes via unterminated console messages. The vulnerability affects Linux kernel 6.6+ including 6.18.x and 6.19.x branches, triggered by netconsole's failure to validate message buffer boundaries when converting to NBCON console infrastructure. Vendor patches available for 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% suggests minimal real-world exploitation despite CVSS 9.1 rating. No public exploit identified at time of analysis.

Technical ContextAI

Netconsole is a Linux kernel subsystem that redirects kernel log messages over the network for remote debugging. After commit 7eab73b18630 converted netconsole to the NBCON (Non-Blocking Console) infrastructure, the handling of console messages changed from using static global buffers (printk_shared_pbufs) to dynamically allocated memory. The console subsystem passes messages to netconsole without guaranteeing null-termination, but netconsole's string formatting functions (string(), vsnprintf(), scnprintf()) assume null-terminated input. This mismatch causes OOB reads when the formatter walks past the allocated buffer boundary looking for a null terminator. KASAN detection became more effective with the new allocation pattern, revealing a 3072-byte allocation being read at offset 3072 (0xC00) during message formatting in netconsole_write(). The vulnerability represents a classic buffer over-read scenario where trust boundary assumptions between kernel subsystems broke during infrastructure modernization.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.16, 6.19.6, or 7.0 and later. Vendor patches available at https://git.kernel.org/stable/c/3126a2f98beaec5a554a1fb31c46db1e8542665e (primary fix), https://git.kernel.org/stable/c/74ab1456eaa3b2eb986138f9e1f4cb37e73b6f58, and https://git.kernel.org/stable/c/82aec772fca2223bc5774bd9af486fd95766e578 for backported branches. Distribution users should apply vendor security updates when available through normal channels (yum/dnf update kernel, apt upgrade linux-image, zypper up kernel-default). If immediate patching is not feasible, disable netconsole functionality as a temporary workaround: remove netconsole kernel module (rmmod netconsole) or prevent loading at boot (blacklist in /etc/modprobe.d/). This mitigation eliminates the vulnerable code path entirely but removes remote kernel logging capability, impacting debugging workflows in headless or remote systems. For systems requiring netconsole for operational monitoring, prioritize patching within normal maintenance windows - the low EPSS score and lack of public exploits do not justify emergency out-of-band patching unless kernel memory disclosure has specific compliance implications for your environment.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43197 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy