Skip to main content

Linux Kernel CVE-2026-43199

| EUVDEUVD-2026-27762 HIGH
2026-05-06 Linux GHSA-cvxc-xfv3-gf64
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:36 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.5 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix "scheduling while atomic" in IPsec MAC address query

Fix a "scheduling while atomic" bug in mlx5e_ipsec_init_macs() by replacing mlx5_query_mac_address() with ether_addr_copy() to get the local MAC address directly from netdev->dev_addr.

The issue occurs because mlx5_query_mac_address() queries the hardware which involves mlx5_cmd_exec() that can sleep, but it is called from the mlx5e_ipsec_handle_event workqueue which runs in atomic context.

The MAC address is already available in netdev->dev_addr, so no need to query hardware. This avoids the sleeping call and resolves the bug.

Call trace: BUG: scheduling while atomic: kworker/u112:2/69344/0x00000200 __schedule+0x7ab/0xa20 schedule+0x1c/0xb0 schedule_timeout+0x6e/0xf0 __wait_for_common+0x91/0x1b0 cmd_exec+0xa85/0xff0 [mlx5_core] mlx5_cmd_exec+0x1f/0x50 [mlx5_core] mlx5_query_nic_vport_mac_address+0x7b/0xd0 [mlx5_core] mlx5_query_mac_address+0x19/0x30 [mlx5_core] mlx5e_ipsec_init_macs+0xc1/0x720 [mlx5_core] mlx5e_ipsec_build_accel_xfrm_attrs+0x422/0x670 [mlx5_core] mlx5e_ipsec_handle_event+0x2b9/0x460 [mlx5_core] process_one_work+0x178/0x2e0 worker_thread+0x2ea/0x430

AnalysisAI

Linux kernel's mlx5e driver allows local denial of service via kernel crash when IPsec event handling triggers illegal sleeping operations in atomic context. The mlx5e_ipsec_handle_event workqueue calls mlx5_query_mac_address() which invokes hardware command execution requiring sleep, causing a 'scheduling while atomic' bug that crashes the kernel. Affected versions include mainline 6.2+ and stable branches 6.12.x through 7.0. Patches available across all supported branches (6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% indicates minimal exploitation probability; no active exploitation or public POC identified. CVSS 7.5 AV:N rating appears inconsistent with description indicating local kernel-level triggering conditions.

Technical ContextAI

The vulnerability resides in the mlx5e Ethernet driver for Mellanox/NVIDIA ConnectX network adapters supporting IPsec offload. The mlx5e_ipsec_init_macs() function incorrectly calls mlx5_query_mac_address() to retrieve the local MAC address, which executes firmware commands via mlx5_cmd_exec(). This command path includes schedule_timeout() and wait_for_common() calls that can sleep. The issue manifests when this code executes within the mlx5e_ipsec_handle_event() workqueue, which runs in atomic context where sleeping operations are prohibited. The fix replaces hardware queries with ether_addr_copy() to directly read the MAC address from netdev->dev_addr, eliminating the sleeping dependency. This is a Linux kernel synchronization primitive violation (similar to CWE-662 Improper Synchronization), though no specific CWE was assigned. Affected CPE scope indicates mlx5_core driver module across kernel versions 6.2 onwards where IPsec acceleration support was introduced.

RemediationAI

Apply vendor-released kernel patches immediately: upgrade to Linux 6.12.75+ for 6.12.x series, 6.18.16+ for 6.18.x series, 6.19.6+ for 6.19.x series, or patched 7.0 mainline builds. Patch commits available at https://git.kernel.org/stable/c/546de94e41e92e1f7dc6213615fb7c794d05db98 with stable backports linked in references. For environments unable to patch immediately, disable IPsec hardware offload on mlx5e interfaces via 'ethtool -K <interface> esp-hw-offload off' which prevents the vulnerable code path from executing, though this reduces IPsec performance to software processing. Alternative mitigation: unload mlx5_core module if Mellanox NICs are not in production use, though this disables network connectivity for those adapters. Red Hat, Ubuntu, Debian, and SUSE will release distribution-specific kernel updates incorporating these patches - subscribe to vendor security advisories. Temporary workaround has no significant security trade-off but measurable performance impact on IPsec throughput.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43199 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy