Skip to main content

Linux Kernel CVE-2026-43285

| EUVDEUVD-2026-28555 MEDIUM
2026-05-08 Linux GHSA-v2vh-p96v-7cc2
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 14, 2026 - 21:15 vuln.today
CVSS changed
May 14, 2026 - 19:07 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 14:02 EUVD
CVE Published
May 08, 2026 - 13:11 nvd
MEDIUM 5.5
CVE Published
May 08, 2026 - 13:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mm/slab: do not access current->mems_allowed_seq if !allow_spin

Lockdep complains when get_from_any_partial() is called in an NMI context, because current->mems_allowed_seq is seqcount_spinlock_t and not NMI-safe:

======== WARNING: inconsistent lock state 6.19.0-rc5-kfree-rcu+ #315 Tainted: G N -------------------------------- inconsistent {INITIAL USE} -> {IN-NMI} usage. kunit_try_catch/9989 [HC1[1]:SC0[0]:HE0:SE1] takes: ffff889085799820 (&____s->seqcount#3){.-.-}-{0:0}, at: ___slab_alloc+0x58f/0xc00 {INITIAL USE} state was registered at: lock_acquire+0x185/0x320 kernel_init_freeable+0x391/0x1150 kernel_init+0x1f/0x220 ret_from_fork+0x736/0x8f0 ret_from_fork_asm+0x1a/0x30 irq event stamp: 56 hardirqs last enabled at (55): [<ffffffff850a68d7>] _raw_spin_unlock_irq+0x27/0x70 hardirqs last disabled at (56): [<ffffffff850858ca>] __schedule+0x2a8a/0x6630 softirqs last enabled at (0): [<ffffffff81536711>] copy_process+0x1dc1/0x6a10 softirqs last disabled at (0): [<0000000000000000>] 0x0

other info that might help us debug this: Possible unsafe locking scenario:

CPU0 ---- lock(&____s->seqcount#3); <Interrupt> lock(&____s->seqcount#3);

* DEADLOCK *

According to Documentation/locking/seqlock.rst, seqcount_t is not NMI-safe and seqcount_latch_t should be used when read path can interrupt the write-side critical section. In this case, do not access current->mems_allowed_seq and avoid retry.

AnalysisAI

Denial of service via NMI-unsafe seqcount access in Linux kernel memory slab allocator allows local privileged attackers to trigger kernel deadlock when get_from_any_partial() is called in NMI context. The vulnerability stems from unsafe access to current->mems_allowed_seq (a spinlock-based seqcount) without NMI-safety guarantees, causing lockdep warnings and potential system hang. EPSS exploitation probability is low at 0.02%, and no active exploitation has been confirmed.

Technical ContextAI

The Linux kernel's SLAB memory allocator uses seqcount_spinlock_t to protect access to the current process's mems_allowed_seq field, which tracks NUMA memory node affinity. Seqcount_spinlock_t is designed for single-writer/multi-reader synchronization but is not NMI-safe because NMI (Non-Maskable Interrupt) handlers can interrupt spinlock critical sections, creating a potential deadlock scenario. When get_from_any_partial() executes in an NMI context (a context that cannot be preempted by hardware interrupts except NMI itself), accessing this seqcount violates kernel locking semantics documented in Documentation/locking/seqlock.rst. The fix prevents reading current->mems_allowed_seq when called from contexts where spinlock-based seqcounts are unsafe, using the allow_spin parameter to gate the access.

RemediationAI

Vendor-released patch available: apply stable kernel updates to versions 6.18.16, 6.19.6, or later from kernel.org. Upstream fix is available in the referenced git commits (353dd9934447b9193643ae1afd938607a74d4915 and variants). Administrators running vulnerable kernel versions should update their systems through their distribution's standard kernel update mechanism. No functional workaround exists without patching; however, the attack requires local access and ability to trigger the vulnerable code path (NMI context memory allocation), so restricting perf/kprobes permissions and disabling performance profiling tools on sensitive systems can reduce (but not eliminate) exposure. The patch has minimal side effects-it simply skips mems_allowed_seq access in NMI-unsafe contexts, with the worst case being slightly less optimized NUMA memory placement in those rare scenarios.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43285 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy