Skip to main content

Linux Kernel CVE-2026-43486

| EUVDEUVD-2026-30022 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-05-13 Linux GHSA-9h93-8p35-79jq
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Attack success depends on hardware configuration (SMMU without HTTU or CPU lacking FEAT_HAFDBS) beyond attacker control, warranting AC:H over NVD's AC:L.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 26, 2026 - 21:55 vuln.today
CVSS changed
Jun 26, 2026 - 19:37 NVD
5.5 (MEDIUM)
Patch available
May 13, 2026 - 16:33 EUVD
CVE Published
May 13, 2026 - 15:08 nvd
MEDIUM 5.5
CVE Published
May 13, 2026 - 15:08 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults

contpte_ptep_set_access_flags() compared the gathered ptep_get() value against the requested entry to detect no-ops. ptep_get() ORs AF/dirty from all sub-PTEs in the CONT block, so a dirty sibling can make the target appear already-dirty. When the gathered value matches entry, the function returns 0 even though the target sub-PTE still has PTE_RDONLY set in hardware.

For a CPU with FEAT_HAFDBS this gathered view is fine, since hardware may set AF/dirty on any sub-PTE and CPU TLB behavior is effectively gathered across the CONT range. But page-table walkers that evaluate each descriptor individually (e.g. a CPU without DBM support, or an SMMU without HTTU, or with HA/HD disabled in CD.TCR) can keep faulting on the unchanged target sub-PTE, causing an infinite fault loop.

Gathering can therefore cause false no-ops when only a sibling has been updated:

  • write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared)
  • read faults: target still lacks PTE_AF

Fix by checking each sub-PTE against the requested AF/dirty/write state (the same bits consumed by __ptep_set_access_flags()), using raw per-PTE values rather than the gathered ptep_get() view, before returning no-op. Keep using the raw target PTE for the write-bit unfold decision.

Per Arm ARM (DDI 0487) D8.7.1 ("The Contiguous bit"), any sub-PTE in a CONT range may become the effective cached translation and software must maintain consistent attributes across the range.

AnalysisAI

Infinite fault loop in the Linux kernel's arm64 contiguous PTE (contpte) subsystem exposes systems using SMMU or CPU configurations without hardware dirty-bit management support to a local denial of service. The defect in contpte_ptep_set_access_flags() causes a gathered AF/dirty-bit view across contiguous sub-PTEs to produce false no-ops, leaving individual target sub-PTEs in a stale hardware state that triggers perpetual page faults on non-FEAT_HAFDBS-aware walkers such as SMMMUs without HTTU or CPUs with HA/HD disabled in CD.TCR. No confirmed active exploitation exists; EPSS is 0.02% at the 5th percentile, consistent with the hardware-specific, local-only attack surface.

Technical ContextAI

The affected code resides in the arm64 contpte (contiguous PTE) subsystem of the Linux kernel, identified by CPE cpe:2.3:a:linux:linux. ARM64's contiguous-bit PTE feature allows consecutive page table entries sharing a TLB entry to be grouped; ptep_get() gathers AF (Access Flag) and dirty bits by OR-ing values across all sub-PTEs in the CONT block. The root cause (CWE-835, Infinite Loop) is that contpte_ptep_set_access_flags() compared this gathered view against the requested entry to detect no-ops. When a sibling sub-PTE has already been marked dirty or accessed, the gathered value falsely matches the target, causing the function to return 0 and skip updating the target sub-PTE. Hardware walkers that evaluate each PTE descriptor individually - specifically SMMMUs without HTTU (Hardware Translation Table Update), CPUs lacking FEAT_HAFDBS/DBM support, or systems where HA/HD bits are disabled in the SMMU Context Descriptor's TCR - then encounter the stale target sub-PTE repeatedly, producing an infinite fault loop. Per ARM ARM DDI 0487 D8.7.1, software must maintain consistent attributes across all sub-PTEs in a CONT range, a requirement violated by the false no-op logic.

RemediationAI

Upgrade to the appropriate patched stable kernel release: 6.12.78, 6.18.19, 6.19.9, or 7.0, each containing the corrected per-sub-PTE AF/dirty/write-bit check logic in contpte_ptep_set_access_flags(). Fix commits are available at https://git.kernel.org/stable/c/05d239f2c95e66e27e7fb4e99ee07eb56e3e34b0 (6.12.x), https://git.kernel.org/stable/c/97c5550b763171dbef61e6239cab372b9f9cd4a2 (6.18.x), https://git.kernel.org/stable/c/09d620555e59768776090073a2c59d2bc8506eb3 (6.19.x), and https://git.kernel.org/stable/c/6f92a7a8b48a523f910ef25dd83808710724f59b. As a compensating control where patching is not immediately possible, enabling HA/HD bits in the SMMU Context Descriptor's TCR (if hardware supports FEAT_HAFDBS) causes hardware to gather AF/dirty updates correctly and eliminates the false no-op path; note this shifts dirty-tracking responsibility to hardware and may affect software-managed page-aging accuracy. Alternatively, restricting contiguous-PTE usage via kernel boot parameters (if exposed) would eliminate the vulnerable code path at a potential performance cost due to reduced TLB coalescing.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-43486 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy