Skip to main content

Linux Kernel CVE-2026-43240

| EUVDEUVD-2026-27799 MEDIUM
2026-05-06 Linux GHSA-m57m-j47p-5rq9
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 11, 2026 - 14:37 vuln.today
CVSS changed
May 11, 2026 - 14:37 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

x86/kexec: add a sanity check on previous kernel's ima kexec buffer

When the second-stage kernel is booted via kexec with a limiting command line such as "mem=<size>", the physical range that contains the carried over IMA measurement list may fall outside the truncated RAM leading to a kernel panic.

BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) - not-present page

Other architectures already validate the range with page_is_ram(), as done in commit cbf9c4b9617b ("of: check previous kernel's ima-kexec-buffer against memory bounds") do a similar check on x86.

Without carrying the measurement list across kexec, the attestation would fail.

AnalysisAI

Linux kernel x86 architecture fails to validate IMA measurement list memory bounds during kexec boot with restricted memory parameters, causing kernel panic when the carried-over IMA buffer falls outside truncated RAM. Authenticated local users with kexec privileges can trigger a denial of service. The fix adds a sanity check to validate the previous kernel's IMA kexec buffer against actual memory bounds before restoration, aligning x86 behavior with other architectures.

Technical ContextAI

The vulnerability exists in the x86 kexec implementation, specifically in the IMA (Integrity Measurement Architecture) measurement list restoration process invoked via ima_restore_measurement_list(). When a second-stage kernel is booted with memory-limiting parameters such as 'mem=<size>' (a common practice in kernel development and debugging), the physical memory range is truncated. However, the kernel does not verify that the carried-over IMA kexec buffer from the first kernel resides within the newly truncated physical RAM. This causes a page fault when attempting to access the measurement list at an unmapped address. The root cause is a missing bounds check comparable to those already implemented in other architectures (PowerPC, ARM, etc.) via page_is_ram() validation. The fix implements x86-specific validation during IMA buffer restoration to prevent out-of-bounds access.

RemediationAI

Update the Linux kernel to a patched version: 6.1.165 or later (for 6.1.x series), 6.6.128 or later (for 6.6.x series), 6.12.75 or later (for 6.12.x series), 6.18.16 or later (for 6.18.x series), 6.19.6 or later (for 6.19.x series), or 7.0 or later (for mainline). The upstream fix adds bounds validation via page_is_ram() to the IMA kexec buffer restoration path in x86/kexec code. For systems unable to immediately patch, mitigations include: (1) disable kexec entirely by removing CONFIG_KEXEC from kernel configuration (eliminates the attack path entirely but prevents live kernel updates), (2) restrict kexec capability to trusted users only via capability-based access control (limits privilege exposure but requires deployment automation changes), or (3) disable IMA if not required for attestation use cases (reduces feature surface but may break compliance workflows). Most distributions provide kernel updates through standard package managers; verify patch availability through your vendor's security advisory portal.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43240 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy