Skip to main content

Linux Kernel CVE-2026-45993

| EUVDEUVD-2026-32289 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-r2fv-v53q-68f3
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Spectre v1 side-channel requires local unprivileged access and complex timing measurements (AC:H), with confidentiality the actual impact; no availability or integrity effect.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 13:53 vuln.today
CVSS changed
Jun 16, 2026 - 13:52 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

LoongArch: Add spectre boundry for syscall dispatch table

The LoongArch syscall number is directly controlled by userspace, but does not have a array_index_nospec() boundry to prevent access past the syscall function pointer tables.

AnalysisAI

Speculative execution bounds bypass on LoongArch allows a local unprivileged user to trigger out-of-bounds speculative reads against the kernel syscall dispatch table, potentially leaking kernel memory via cache side-channels. Affected are Linux kernel stable branches prior to 6.6.140, 6.12.86, 6.18.27, and 7.0.4 running on LoongArch architecture. No public exploit code has been identified at time of analysis, and EPSS at 0.02% reflects very low observed exploitation probability; patches are available across all affected stable series.

Technical ContextAI

The LoongArch architecture syscall dispatch path in the Linux kernel uses a function pointer table indexed directly by a user-controlled syscall number. The missing array_index_nospec() macro - the standard Linux kernel mitigation for Spectre variant 1 (CVE-2017-5753, bounds check bypass) - means the CPU can speculatively dereference beyond the end of the syscall table before the hardware resolves the bounds check. The array_index_nospec() primitive uses a bitmask-based index clamp that forces the speculative path to a safe in-bounds index, preventing the microarchitecture from transiently reading and caching out-of-bounds kernel data. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* spanning all LoongArch kernel builds in the vulnerable stable series. No CWE was formally assigned, but this maps most accurately to CWE-1421 (Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution). A data conflict exists in the source intelligence: the vulnerability is mechanistically a speculative side-channel (information disclosure), yet the provided CVSS vector scores C:N/A:H, and the tags independently label it 'Information Disclosure' - this discrepancy is noted but not resolved from available data.

RemediationAI

Upgrade to a patched Linux kernel version: 6.6.140 or later for the 6.6 stable branch, 6.12.86 or later for the 6.12 stable branch, 6.18.27 or later for the 6.18 stable branch, or 7.0.4 or later for the 7.0 stable branch; mainline is fixed in 7.1-rc1. Fix commits are published at https://git.kernel.org/stable/c/85cbf7fb568af5358aae61925c4e66b8f5e1439d (6.6.x), https://git.kernel.org/stable/c/108f2cd13577a410c0ad6ea00708596d9d0dfc90 (6.12.x), https://git.kernel.org/stable/c/0c965d2784fbbd7f8e3b96d875c9cfdf7c00da3d (6.18.x), https://git.kernel.org/stable/c/07040904ad217545be096d4280ed33c02f6a3750 (7.0.x), and https://git.kernel.org/stable/c/bc84a109c2082dd0c4b38e8d923c046b41977533 (mainline). If immediate patching is not possible, restrict untrusted local user access on LoongArch systems - this does not eliminate the flaw but reduces attacker opportunity by limiting who can issue arbitrary syscalls. Enabling existing Spectre v1 mitigations (spectre_v1=on kernel parameter, if independently supported by LoongArch kernel config) may partially mitigate, but the definitive fix is the array_index_nospec() boundary in the upstream commits.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-45993 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy