Skip to main content

Linux Kernel CVE-2026-43466

| EUVDEUVD-2026-28772 HIGH
2026-05-08 Linux GHSA-757p-mh2f-rf8w
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:39 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
8.2 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 14:22 nvd
HIGH 8.2

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery

In case of a TX error CQE, a recovery flow is triggered, mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc, desyncing the DMA FIFO producer and consumer.

After recovery, the producer pushes new DMA entries at the old dma_fifo_pc, while the consumer reads from position 0. This causes us to unmap stale DMA addresses from before the recovery.

The DMA FIFO is a purely software construct with no HW counterpart. At the point of reset, all WQEs have been flushed so dma_fifo_cc is already equal to dma_fifo_pc. There is no need to reset either counter, similar to how skb_fifo pc/cc are untouched.

Remove the 'dma_fifo_cc = 0' reset.

This fixes the following WARNING: WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90 Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:iommu_dma_unmap_page+0x79/0x90 Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 Call Trace: <IRQ> ? __warn+0x7d/0x110 ? iommu_dma_unmap_page+0x79/0x90 ? report_bug+0x16d/0x180 ? handle_bug+0x4f/0x90 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? iommu_dma_unmap_page+0x79/0x90 ? iommu_dma_unmap_page+0x2e/0x90 dma_unmap_page_attrs+0x10d/0x1b0 mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core] mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core] mlx5e_napi_poll+0x8b/0xac0 [mlx5_core] __napi_poll+0x24/0x190 net_rx_action+0x32a/0x3b0 ? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core] ? notifier_call_chain+0x35/0xa0 handle_softirqs+0xc9/0x270 irq_exit_rcu+0x71/0xd0 common_interrupt+0x7f/0xa0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40

AnalysisAI

DMA memory corruption in Linux kernel mlx5e driver allows denial-of-service and potential data integrity violations when recovering from TX error completion queue entries. The vulnerability affects mlx5 Ethernet driver users from kernel 4.17 onwards, causing desynchronization between DMA FIFO producer/consumer counters during error recovery, leading to unmapping of stale DMA addresses and IOMMU warnings. Exploitation probability is low (EPSS 0.02%, 7th percentile) with no public exploit identified at time of analysis. Vendor-released patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).

Technical ContextAI

This vulnerability resides in the mlx5e network driver's TX error recovery path, specifically in the mlx5e_reset_txqsq_cc_pc() function. The mlx5 driver is Mellanox/NVIDIA's ConnectX network adapter driver supporting high-performance Ethernet and RDMA. The DMA FIFO (First-In-First-Out queue) is a software-only structure tracking DMA mappings for transmit descriptors, using producer (dma_fifo_pc) and consumer (dma_fifo_cc) counters. During TX error CQE (Completion Queue Entry) recovery, the code incorrectly resets only the consumer counter to zero while leaving the producer counter at its previous value, violating FIFO invariants. This desynchronization causes the cleanup path to unmap DMA addresses from before the error occurred rather than current mappings, triggering IOMMU subsystem warnings when invalid DMA addresses are processed. The vulnerability demonstrates a state management flaw in error handling paths where paired data structures must maintain synchronized state.

RemediationAI

Upgrade to patched kernel versions: 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or 7.0 and later. Upstream patches available at kernel.org git: 9c5ee9b981ee (mainline), 1633111d6905 (6.19.x), 6f41f7812bfa (6.18.x), 383b37c04a48 (6.12.x), ce1b19dd0684 (6.6.x), 829efcccfa8f (6.1.x), 6eb68ecc5acc (5.15.x), 821f85d619f7 (5.10.x). No configuration workaround exists as this is a code logic error in the driver. For systems unable to immediately patch, compensating controls include: disabling mlx5 network interfaces if alternative NICs are available (reduces functionality but eliminates exposure), or implementing network-level rate limiting to reduce TX queue pressure and error probability (limited effectiveness, does not prevent exploitation). Monitor kernel logs for IOMMU warnings at drivers/iommu/dma-iommu.c:1240 indicating potential exploitation. Mitigation priority should align with presence of Mellanox hardware - systems without mlx5-based NICs are not vulnerable regardless of kernel version.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43466 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy