Skip to main content

Linux Kernel CVE-2026-43302

| EUVDEUVD-2026-28572 MEDIUM
Incorrect Calculation of Buffer Size (CWE-131)
2026-05-08 Linux GHSA-v89v-4458-f6hp
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 15, 2026 - 13:37 vuln.today
CVSS changed
May 15, 2026 - 13:37 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 14:33 EUVD
CVE Published
May 08, 2026 - 13:11 nvd
MEDIUM 5.5
CVE Published
May 08, 2026 - 13:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/v3d: Set DMA segment size to avoid debug warnings

When using V3D rendering with CONFIG_DMA_API_DEBUG enabled, the kernel occasionally reports a segment size mismatch. This is because 'max_seg_size' is not set. The kernel defaults to 64K. setting 'max_seg_size' to the maximum will prevent 'debug_dma_map_sg()' from complaining about the over-mapping of the V3D segment length.

DMA-API: v3d 1002000000.v3d: mapping sg segment longer than device claims to support [len=8290304] [max=65536] WARNING: CPU: 0 PID: 493 at kernel/dma/debug.c:1179 debug_dma_map_sg+0x330/0x388 CPU: 0 UID: 0 PID: 493 Comm: Xorg Not tainted 6.12.53-yocto-standard #1 Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT) pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : debug_dma_map_sg+0x330/0x388 lr : debug_dma_map_sg+0x330/0x388 sp : ffff8000829a3ac0 x29: ffff8000829a3ac0 x28: 0000000000000001 x27: ffff8000813fe000 x26: ffffc1ffc0000000 x25: ffff00010fdeb760 x24: 0000000000000000 x23: ffff8000816a9bf0 x22: 0000000000000001 x21: 0000000000000002 x20: 0000000000000002 x19: ffff00010185e810 x18: ffffffffffffffff x17: 69766564206e6168 x16: 74207265676e6f6c x15: 20746e656d676573 x14: 20677320676e6970 x13: 5d34303334393134 x12: 0000000000000000 x11: 00000000000000c0 x10: 00000000000009c0 x9 : ffff8000800e0b7c x8 : ffff00010a315ca0 x7 : ffff8000816a5110 x6 : 0000000000000001 x5 : 000000000000002b x4 : 0000000000000002 x3 : 0000000000000008 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00010a315280 Call trace: debug_dma_map_sg+0x330/0x388 __dma_map_sg_attrs+0xc0/0x278 dma_map_sgtable+0x30/0x58 drm_gem_shmem_get_pages_sgt+0xb4/0x140 v3d_bo_create_finish+0x28/0x130 [v3d] v3d_create_bo_ioctl+0x54/0x180 [v3d] drm_ioctl_kernel+0xc8/0x140 drm_ioctl+0x2d4/0x4d8

AnalysisAI

Linux kernel DMA API debug warnings in V3D rendering driver cause denial of service when CONFIG_DMA_API_DEBUG is enabled and V3D segment sizes exceed the default 64K maximum. The vulnerability affects systems using V3D graphics rendering (particularly Raspberry Pi 5) with debug DMA API enabled, allowing local authenticated users to trigger kernel warnings and potential system instability by creating V3D buffer objects larger than the device's claimed DMA segment size limit.

Technical ContextAI

The V3D (VideoCore VI) rendering driver in the Linux kernel failed to set the 'max_seg_size' DMA constraint for its devices. When CONFIG_DMA_API_DEBUG is enabled, the kernel's debug_dma_map_sg() function validates DMA scatter-gather segment sizes against the device's declared maximum. The V3D driver did not declare a maximum segment size, causing the kernel to apply a default 64KB limit. When V3D allocates larger scatter-gather entries (such as 8MB buffers for GPU rendering), debug_dma_map_sg() at kernel/dma/debug.c:1179 triggers a WARNING due to the segment size mismatch. This is a configuration and validation issue rather than a memory corruption or access control flaw - the actual DMA operation succeeds, but the debug code warns about the mismatch. The fix involves setting 'max_seg_size' to the maximum value the V3D hardware supports, allowing larger contiguous DMA segments without triggering false-positive debug warnings. CWE-131 (Incorrect Calculation of Buffer Size) applies because the kernel's default calculation of segment limits does not match the driver's actual capability.

RemediationAI

Upgrade to patched kernel versions: Linux 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, or 7.0 and later. For immediate remediation without kernel upgrade, disable CONFIG_DMA_API_DEBUG in the kernel configuration if DMA debug validation is not required for your use case. This eliminates the debug warnings while preserving V3D functionality, with the trade-off of losing DMA validation diagnostics. Alternatively, if staying on an older kernel and DMA debugging is needed for GPU troubleshooting, apply the corresponding stable patch commit from https://git.kernel.org/stable/ for your specific kernel series. For Raspberry Pi 5 users running Pi OS or similar distributions, check for updated kernel packages from your distribution that include this fix. System administrators managing development/test environments with CONFIG_DMA_API_DEBUG should prioritize upgrading or patching, while production deployments using standard kernel configurations (without debug options) face minimal practical impact.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43302 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy