Skip to main content

Linux Kernel CVE-2026-43409

| EUVDEUVD-2026-28715 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-08 Linux GHSA-pfxc-r4m8-gw9p
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 21, 2026 - 19:08 vuln.today
CVSS changed
May 21, 2026 - 19:07 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

kprobes: avoid crash when rmmod/insmod after ftrace killed

After we hit ftrace is killed by some errors, the kernel crash if we remove modules in which kprobe probes.

BUG: unable to handle page fault for address: fffffbfff805000d PGD 817fcc067 P4D 817fcc067 PUD 817fc8067 PMD 101555067 PTE 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 4 UID: 0 PID: 2012 Comm: rmmod Tainted: G W OE Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE RIP: 0010:kprobes_module_callback+0x89/0x790 RSP: 0018:ffff88812e157d30 EFLAGS: 00010a02 RAX: 1ffffffff805000d RBX: dffffc0000000000 RCX: ffffffff86a8de90 RDX: ffffed1025c2af9b RSI: 0000000000000008 RDI: ffffffffc0280068 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed1025c2af9a R10: ffff88812e157cd7 R11: 205d323130325420 R12: 0000000000000002 R13: ffffffffc0290488 R14: 0000000000000002 R15: ffffffffc0280040 FS: 00007fbc450dd740(0000) GS:ffff888420331000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffbfff805000d CR3: 000000010f624000 CR4: 00000000000006f0 Call Trace: <TASK> notifier_call_chain+0xc6/0x280 blocking_notifier_call_chain+0x60/0x90 __do_sys_delete_module.constprop.0+0x32a/0x4e0 do_syscall_64+0x5d/0xfa0 entry_SYSCALL_64_after_hwframe+0x76/0x7e

This is because the kprobe on ftrace does not correctly handles the kprobe_ftrace_disabled flag set by ftrace_kill().

To prevent this error, check kprobe_ftrace_disabled in __disarm_kprobe_ftrace() and skip all ftrace related operations.

AnalysisAI

Kernel crash (page fault) in the Linux kernel's kprobes subsystem allows a local authenticated user to trigger a system denial-of-service by removing a module containing kprobe probes after ftrace has been killed due to prior errors. The affected code path in kprobes_module_callback does not check the kprobe_ftrace_disabled flag set by ftrace_kill(), causing invalid memory access traceable via KASAN at address fffffbfff805000d. No active exploitation has been confirmed; EPSS is 0.02% (5th percentile), reflecting the niche preconditions required.

Technical ContextAI

The Linux kernel's kprobes subsystem instruments live kernel code by hooking function entry/exit points, and integrates with ftrace for probe placement. When ftrace encounters a fatal internal error, it invokes ftrace_kill(), which sets the kprobe_ftrace_disabled flag to signal that ftrace-related operations must cease. The vulnerability exists because __disarm_kprobe_ftrace() and the kprobes_module_callback notifier handler do not check this flag before performing ftrace operations during module unload. This leads to a NULL pointer dereference or invalid memory access (CWE-476) as the code attempts to operate on ftrace infrastructure that has been torn down. The CPE string cpe:2.3:a:linux:linux covers all affected kernel builds; EUVD data anchors the regression to commit ae6aa16fdc163afe6b04b6c073ad4ddd4663c03b, introduced in approximately kernel 3.7.

RemediationAI

Upgrade to a patched Linux kernel version: 7.0, 6.19.9, 6.18.19, 6.12.78, or 6.6.130, applying the relevant stable fix commit for your active branch from kernel.org (links above). Distribution-specific backports should be monitored via your vendor's security advisories. If immediate patching is not feasible, restrict CAP_SYS_MODULE using security policies (seccomp, SELinux, AppArmor, or capability dropping in container runtimes) to prevent unauthorized module loading and unloading - note this may impact legitimate kernel module workflows. Additionally, limiting the use of kprobes-based instrumentation tools (e.g., BPF tracing, perf) in production environments reduces the attack surface. No workaround eliminates the underlying race between ftrace kill state and module unload; patching is the definitive fix.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43409 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy