Skip to main content

Linux Kernel EUVDEUVD-2026-27375

| CVE-2026-43071 CRITICAL
Out-of-bounds Read (CWE-125)
2026-05-05 Linux GHSA-977x-crv2-w57m
Critical
Disputed · 9.1 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
CRITICAL
qualitative
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:22 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
9.1 (CRITICAL)
Patch available
May 05, 2026 - 17:31 EUVD
CVE Published
May 05, 2026 - 15:29 nvd
CRITICAL 9.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

dcache: Limit the minimal number of bucket to two

There is an OOB read problem on dentry_hashtable when user sets 'dhash_entries=1': BUG: unable to handle page fault for address: ffff888b30b774b0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: Oops: 0000 [#1] SMP PTI RIP: 0010:__d_lookup+0x56/0x120 Call Trace: d_lookup.cold+0x16/0x5d lookup_dcache+0x27/0xf0 lookup_one_qstr_excl+0x2a/0x180 start_dirop+0x55/0xa0 simple_start_creating+0x8d/0xa0 debugfs_start_creating+0x8c/0x180 debugfs_create_dir+0x1d/0x1c0 pinctrl_init+0x6d/0x140 do_one_initcall+0x6d/0x3d0 kernel_init_freeable+0x39f/0x460 kernel_init+0x2a/0x260

There will be only one bucket in dentry_hashtable when dhash_entries is set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then, following process will access more than one buckets(which memory region is not allocated) in dentry_hashtable: d_lookup b = d_hash(hash) dentry_hashtable + ((u32)hashlen >> d_hash_shift) // The C standard defines the behavior of right shift amounts // exceeding the bit width of the operand as undefined. The // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen', // so 'b' will point to an unallocated memory region. hlist_bl_for_each_entry_rcu(b) hlist_bl_first_rcu(head) h->first // read OOB!

Fix it by limiting the minimal number of dentry_hashtable bucket to two, so that 'd_hash_shift' won't exceeds the bit width of type u32.

AnalysisAI

Out-of-bounds read in Linux Kernel dentry hashtable can crash the system when dhash_entries boot parameter is set to 1. The vulnerability triggers during directory cache lookups when the hash shift calculation results in access to unallocated memory regions, causing kernel page faults. Affects Linux Kernel versions from initial commit (1da177e4c3f4) through multiple stable branches. Patches available for 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0.1, and 7.1-rc1. EPSS probability of 0.02% (7th percentile) indicates very low likelihood of exploitation in the wild, and no public exploit code or CISA KEV listing exists, suggesting this remains a theoretical edge-case issue requiring specific kernel boot configuration.

Technical ContextAI

This vulnerability affects the Linux Kernel's directory entry cache (dcache) hash table implementation in fs/dcache.c. The issue occurs when the dhash_entries kernel boot parameter is set to 1, causing dcache_init() to allocate only a single bucket in dentry_hashtable and calculate d_hash_shift as 32. During d_lookup operations, the hash calculation performs a right shift of a u32 value by 32 bits, which is undefined behavior in C when the shift amount equals or exceeds the operand's bit width. This causes the bucket pointer to reference unallocated memory beyond the single allocated bucket, triggering an out-of-bounds read when hlist_bl_for_each_entry_rcu attempts to traverse the invalid bucket. The dentry cache is fundamental to Linux filesystem path resolution, converting filesystem pathnames to inodes efficiently. This vulnerability demonstrates how edge-case input validation failures in low-level kernel data structures can create memory safety issues, though it requires deliberate misconfiguration via boot parameters that would never occur in production environments.

RemediationAI

Upgrade to patched Linux Kernel versions: 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0.1, or 7.1-rc1 and later. Organizations running affected kernel versions should apply the upstream commits (426ef05e82ee52c8d0e95fc0808b7383d8352d73 for mainline, or the appropriate stable branch commit from https://git.kernel.org/stable/). As an immediate workaround, ensure the dhash_entries kernel boot parameter is not set to 1 in bootloader configurations (GRUB, systemd-boot, etc.). The default kernel behavior (not setting this parameter) is not vulnerable. Review and audit all custom kernel boot parameters to remove dhash_entries=1 if present in /etc/default/grub, /boot/loader/entries/, or other boot configuration files. Note this workaround has no operational side effects since dhash_entries=1 represents an invalid configuration that would degrade filesystem performance. For containerized environments, verify host kernel versions as container isolation does not mitigate kernel-level vulnerabilities. Testing the patch in non-production environments is recommended but low-risk given the fix simply enforces a minimum bucket count of two.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27375 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy