Skip to main content

Linux Kernel CVE-2026-43340

| EUVDEUVD-2026-28624 MEDIUM
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-cxcr-vph9-wv8j
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 22:00 vuln.today
CVSS changed
May 15, 2026 - 19:52 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 15:02 EUVD
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

comedi: Reinit dev->spinlock between attachments to low-level drivers

struct comedi_device is the main controlling structure for a COMEDI device created by the COMEDI subsystem. It contains a member spinlock containing a spin-lock that is initialized by the COMEDI subsystem, but is reserved for use by a low-level driver attached to the COMEDI device (at least since commit 25436dc9d84f ("Staging: comedi: remove RT code")).

Some COMEDI devices (those created on initialization of the COMEDI subsystem when the "comedi.comedi_num_legacy_minors" parameter is non-zero) can be attached to different low-level drivers over their lifetime using the COMEDI_DEVCONFIG ioctl command. This can result in inconsistent lock states being reported when there is a mismatch in the spin-lock locking levels used by each low-level driver to which the COMEDI device has been attached. Fix it by reinitializing dev->spinlock before calling the low-level driver's attach function pointer if CONFIG_LOCKDEP is enabled.

AnalysisAI

Local denial of service in Linux kernel COMEDI subsystem allows authenticated users to trigger inconsistent lock states when reattaching low-level drivers to legacy COMEDI devices. Exploitation probability is low (EPSS 2%, percentile 7%) with no public exploit identified at time of analysis. Vendor-released patches available across all stable kernel branches from 5.10.253 through 7.0. Affects systems configured with non-zero comedi_num_legacy_minors parameter and requires local authenticated access to COMEDI device nodes.

Technical ContextAI

The COMEDI subsystem provides a unified interface for data acquisition hardware in Linux. The vulnerability exists in the handling of struct comedi_device's spinlock member, which is initialized once by the COMEDI core but used by attached low-level drivers. Legacy COMEDI devices (those created when the comedi.comedi_num_legacy_minors kernel parameter is non-zero) support runtime driver reattachment via the COMEDI_DEVCONFIG ioctl. When different low-level drivers use different spinlock nesting levels without lock reinitialization between attachments, CONFIG_LOCKDEP reports inconsistent lock states. This is a kernel locking state management issue rather than a traditional memory corruption vulnerability. The affected code path was introduced in kernel 2.6.29 and modified by commit 25436dc9d84f which reserved the spinlock for low-level driver use.

RemediationAI

Update to patched Linux kernel versions: 5.10.253 or later for 5.10.y branch, 5.15.203 or later for 5.15.y branch, 6.1.168 or later for 6.1.y branch, 6.6.134 or later for 6.6.y branch, 6.12.81 or later for 6.12.y branch, 6.18.22 or later for 6.18.y branch, 6.19.12 or later for 6.19.y branch, or 7.0 or later for mainline. Upstream patches available at https://git.kernel.org/stable/c/c01bcc67a9a692d65508ebd480405b5e77d562b7 and stable branch equivalents. For systems unable to immediately patch, mitigation options include: disable CONFIG_LOCKDEP in production kernels (eliminates the inconsistent lock state detection, though this is typically already disabled for performance reasons), set comedi.comedi_num_legacy_minors=0 kernel parameter to disable legacy COMEDI device creation (prevents the vulnerable code path entirely but breaks legacy COMEDI device reattachment functionality), or restrict access to /dev/comedi* device nodes to trusted users only via udev rules (limits local attack surface but does not eliminate risk from privileged local users). Note that disabling CONFIG_LOCKDEP is standard practice in production environments and carries no security trade-off as it only affects debugging instrumentation. Setting comedi_num_legacy_minors=0 is the most effective mitigation if legacy COMEDI reattachment is not required, with no operational side effects beyond disabling that specific feature.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43340 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy