Skip to main content

Linux Kernel EUVDEUVD-2026-26633

| CVE-2026-43034 MEDIUM
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 08, 2026 - 18:52 vuln.today
CVSS changed
May 08, 2026 - 18:52 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:33 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26633
CVE Published
May 01, 2026 - 14:15 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: set backing store type from query type

bnxt_hwrm_func_backing_store_qcaps_v2() stores resp->type from the firmware response in ctxm->type and later uses that value to index fixed backing-store metadata arrays such as ctx_arr[] and bnxt_bstore_to_trace[].

ctxm->type is fixed by the current backing-store query type and matches the array index of ctx->ctx_arr. Set ctxm->type from the current loop variable instead of depending on resp->type.

Also update the loop to advance type from next_valid_type in the for statement, which keeps the control flow simpler for non-valid and unchanged entries.

AnalysisAI

A local denial of service vulnerability in the Linux kernel bnxt_en driver allows authenticated local users to crash the system by triggering an out-of-bounds array access during backing store capability queries. The vulnerability stems from incorrect use of firmware-provided type values to index fixed metadata arrays, rather than using the known loop iteration index. Exploitation requires local access and user-level privileges (PR:L), and no active exploitation has been reported.

Technical ContextAI

The bnxt_en driver is the Broadcom NetXtreme Ethernet driver in the Linux kernel. The vulnerability exists in the bnxt_hwrm_func_backing_store_qcaps_v2() function, which processes firmware responses for backing store capability queries. The function incorrectly stores the firmware-provided resp->type value into ctxm->type and uses this untrusted value to index fixed arrays such as ctx_arr[] and bnxt_bstore_to_trace[]. Since resp->type comes from firmware and may not match the expected backing store query iteration type, it can cause out-of-bounds array access. The fix involves setting ctxm->type from the loop iteration variable (the known backing store query type) rather than from the firmware response, and refactoring the loop to advance through valid backing store types using next_valid_type.

RemediationAI

Apply kernel patches from the following commits: c8d53b70166d1dc463ef42adb7293e1a770822c7, 29732b68a6816a815d58e9ab229844c23617e1e0, or 4ee937107d52f9e5c350e4b5e629760e328b3d9f. Alternatively, upgrade to Linux 6.8 or later, or apply the specific stable patches for Linux 6.18.22, 6.19.12, or 7.0. If kernel patching is not immediately possible, restrict local shell access to non-administrative users and disable the bnxt_en driver if not required for network connectivity (modprobe -r bnxt_en). These workarounds mitigate exploitation by limiting the user base that can trigger the vulnerability, but are not equivalent to patching. References: https://git.kernel.org/stable/c/c8d53b70166d1dc463ef42adb7293e1a770822c7, https://git.kernel.org/stable/c/29732b68a6816a815d58e9ab229844c23617e1e0, https://git.kernel.org/stable/c/4ee937107d52f9e5c350e4b5e629760e328b3d9f.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26633 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy