Skip to main content

Linux Kernel CVE-2026-43211

| EUVDEUVD-2026-27773 HIGH
Improper Locking (CWE-667)
2026-05-06 Linux GHSA-3629-447p-wp7v
High
Disputed · 7.8 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:38 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

PCI: Fix pci_slot_trylock() error handling

Commit a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()") delegates the bridge device's pci_dev_trylock() to pci_bus_trylock() in pci_slot_trylock(), but it forgets to remove the corresponding pci_dev_unlock() when pci_bus_trylock() fails.

Before a4e772898f8b, the code did:

if (!pci_dev_trylock(dev)) /* <- lock bridge device */ goto unlock; if (dev->subordinate) { if (!pci_bus_trylock(dev->subordinate)) { pci_dev_unlock(dev); /* <- unlock bridge device */ goto unlock; } }

After a4e772898f8b the bridge-device lock is no longer taken, but the pci_dev_unlock(dev) on the failure path was left in place, leading to the bug.

This yields one of two errors:

  1. A warning that the lock is being unlocked when no one holds it.
  2. An incorrect unlock of a lock that belongs to another thread.

Fix it by removing the now-redundant pci_dev_unlock(dev) on the failure path.

[Same patch later posted by Keith at https://patch.msgid.link/20260116184150.3013258-1-kbusch@meta.com]

AnalysisAI

A double-unlock bug in the Linux kernel PCI subsystem allows local authenticated users to trigger lock corruption, leading to privilege escalation, information disclosure, or denial of service. The flaw exists in pci_slot_trylock() where improper error handling after commit a4e772898f8b unlocks a bridge device lock that was never acquired, causing either lock state corruption or unlocking another thread's lock. With CVSS 7.8 (AV:L/AC:L/PR:L) and EPSS of 0.02% (7th percentile), this is a local vulnerability with low exploitation complexity requiring authenticated access. Vendor patches are available across all active kernel stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). No public exploit code or active exploitation confirmed at time of analysis.

Technical ContextAI

This vulnerability affects the PCI subsystem's locking primitives in the Linux kernel, specifically within pci_slot_trylock() used during PCI bus enumeration and hotplug operations. The bug was introduced by commit a4e772898f8b which refactored bridge device locking to delegate pci_dev_trylock() to pci_bus_trylock(), but failed to remove the corresponding pci_dev_unlock() call on the failure path. This creates a lock state inconsistency where the function attempts to release a lock it never acquired. The affected code path involves PCI bridge device management, a critical component for PCIe hierarchy control. The CPE identifiers show broad impact across Linux kernel versions from 5.10 through 7.0, with the regression introduced by commit a4e772898f8b and affecting all subsequent versions until patched. Without an assigned CWE, the root cause maps closest to CWE-667 (Improper Locking) or CWE-833 (Deadlock) categories, representing synchronization primitive misuse that can corrupt kernel lock state.

RemediationAI

Upgrade to patched Linux kernel versions: 5.10.252 or later for the 5.10 LTS branch, 5.15.202 or later for 5.15 LTS, 6.1.165 or later for 6.1 LTS, 6.6.128 or later for 6.6 stable, 6.12.75 or later for 6.12 stable, 6.18.16 or later for 6.18 stable, 6.19.6 or later for 6.19 stable, or 7.0 or later for mainline. Upstream fix commits are documented at https://git.kernel.org/stable/c/bd435f4b738130d732ef64e0e57e45185f77165d (6.1 branch), https://git.kernel.org/stable/c/0425aaf20b407d2f2cf3bf469808e4a35f9abb8b (mainline), and other branch-specific commits listed in references. Linux distributions typically backport security fixes into their supported kernel versions, so apply vendor-specific updates via normal package management (yum/dnf update kernel for RHEL/Fedora, apt upgrade linux-image for Debian/Ubuntu). For systems unable to immediately patch, consider restricting PCI hotplug capabilities via udev rules or disabling runtime PCI device management if operationally feasible, though this impacts hardware flexibility and may break legitimate hotplug workflows in virtualized or bare-metal cloud environments. No effective userspace mitigation exists since the bug resides in kernel locking primitives. Kernel live-patching solutions (kpatch, kGraft, Ksplice) may provide zero-downtime fixes for supported enterprise distributions. Prioritize patching for multi-tenant systems, containerized environments with untrusted workloads, and bare-metal cloud nodes where local users have elevated hardware interaction privileges.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43211 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy