Skip to main content

Linux Kernel CVE-2026-43473

| EUVDEUVD-2026-28779 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-08 Linux GHSA-4rpc-8842-rq53
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 21, 2026 - 13:22 vuln.today
CVSS changed
May 21, 2026 - 13:22 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

scsi: mpi3mr: Add NULL checks when resetting request and reply queues

The driver encountered a crash during resource cleanup when the reply and request queues were NULL due to freed memory. This issue occurred when the creation of reply or request queues failed, and the driver freed the memory first, but attempted to mem set the content of the freed memory, leading to a system crash.

Add NULL pointer checks for reply and request queues before accessing the reply/request memory during cleanup

AnalysisAI

Local denial-of-service in the Linux kernel's mpi3mr SCSI driver causes a system crash via NULL pointer dereference during resource cleanup. An authenticated local user on a system using MPI3-based storage controllers can trigger a kernel panic by inducing the error path where queue creation fails: the driver frees reply or request queue memory but subsequently attempts to memset the now-freed (NULL) pointer, crashing the system. No public exploit exists and EPSS sits at 0.02% (7th percentile), indicating low real-world exploitation probability at time of analysis.

Technical ContextAI

The mpi3mr driver (MPI3 Message Passing Interface Multi-path RAID) manages high-performance SCSI storage controllers in the Linux kernel. During initialization, the driver allocates and configures reply and request queues. CWE-476 (NULL Pointer Dereference) manifests in the cleanup path: when queue creation fails, the driver deallocates the queue memory structures but the cleanup routine proceeds to call memset on those now-freed (NULL) pointers without first checking for NULL. This is a classic use-after-free/NULL-dereference pattern in kernel error-path code, where the unhappy path receives less testing than the nominal path. Affected CPE is cpe:2.3:a:linux:linux across all versions from the initial kernel commit (1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) up to the respective stable branch fix commits.

RemediationAI

The primary fix is upgrading to a patched kernel: 5.15.203 (LTS), 6.1.167 (LTS), 6.6.130 (LTS), 6.12.78, 6.18.19, 6.19.9, or 7.0. Upstream stable commits are available at https://git.kernel.org/stable/c/f8e833572a3e12a2a1ffe7b3646af024264d38ca, https://git.kernel.org/stable/c/7df0296ad4e9253d12c6dbe7f120044dddc95600, https://git.kernel.org/stable/c/7da755e0d02e9ca035065127e108d1fed8950dc8, and additional branch-specific commits listed in the CVE references. As a compensating control for systems that cannot immediately be patched, blacklisting the mpi3mr kernel module (adding 'blacklist mpi3mr' to /etc/modprobe.d/) will prevent the driver from loading entirely, eliminating exposure at the cost of losing functionality for any attached MPI3 SCSI storage controllers - this is only viable if those controllers are not in use or are redundant.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43473 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy