Skip to main content

Linux Kernel EUVDEUVD-2026-27669

| CVE-2026-43274 HIGH
Out-of-bounds Read (CWE-125)
2026-05-06 Linux GHSA-w4mh-vmr5-87jc
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:45 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
8.4 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
HIGH 8.4

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq()

The cluster_cfg array is dynamically allocated to hold per-CPU configuration structures, with its size based on the number of online CPUs. Previously, this array was indexed using hartid, which may be non-contiguous or exceed the bounds of the array, leading to out-of-bounds access. Switch to using cpuid as the index, as it is guaranteed to be within the valid range provided by for_each_online_cpu().

AnalysisAI

Out-of-bounds memory access in Linux kernel's Microchip IPC mailbox driver allows local attackers to achieve arbitrary code execution with high integrity and confidentiality impact. The mchp-ipc-sbi driver incorrectly indexes a dynamically allocated cluster configuration array using non-contiguous hardware thread IDs (hartid) instead of sequential CPU IDs, causing reads/writes beyond array bounds on systems where hartid values exceed the number of online CPUs. Vendor patches available for stable kernel series 6.18.16, 6.19.6, and mainline 7.0. EPSS score of 0.02% suggests low probability of mass exploitation despite high CVSS severity, with no active exploitation confirmed at time of analysis.

Technical ContextAI

This vulnerability affects the mailbox subsystem's Microchip IPC SBI (Supervisor Binary Interface) driver in the Linux kernel, specifically the mchp_ipc_get_cluster_aggr_irq() function. The driver allocates a cluster_cfg array sized according to num_online_cpus() to store per-CPU interrupt aggregation configuration. The flaw stems from using hartid (hardware thread ID from RISC-V architecture) as an array index rather than cpuid. In RISC-V systems, hartid values are platform-specific and may be non-contiguous (e.g., 0, 2, 5, 7) or start at arbitrary offsets, while cpuid from for_each_online_cpu() guarantees sequential values from 0 to n-1. When hartid exceeds the array size or points to unallocated memory, the kernel performs out-of-bounds reads or writes, corrupting adjacent memory structures. This represents a classic buffer overflow vulnerability where array bounds checking depends on incorrect assumptions about index value ranges. The affected CPE strings indicate the vulnerability exists from early kernel development (commit 1da177e4c3f4) through recent 6.x and 7.x series until patched in commits 0442b6229e2e (6.18.16), f7c330a8c83c (6.19.6), and 95438699c929 (7.0).

RemediationAI

Upgrade to patched Linux kernel versions 6.18.16, 6.19.6, or 7.0 and later from kernel.org stable trees (see commit references at https://git.kernel.org/stable/c/95438699c92947155823dcd3918049a07f3cd867, https://git.kernel.org/stable/c/0442b6229e2eedc95a6d3d18ce75dec7f5b5377c, and https://git.kernel.org/stable/c/f7c330a8c83c9b0332fd524097eaf3e69148164d). For systems unable to upgrade immediately, disable the Microchip IPC SBI mailbox driver by blacklisting the kernel module (echo 'blacklist mchp_ipc_sbi' >> /etc/modprobe.d/cve-2026-43274.conf and rebuild initramfs) if mailbox functionality is not required for system operation - note this breaks inter-processor communication on multi-hart RISC-V systems relying on this IPC mechanism, potentially disabling CPU hotplug or cluster management features. Alternative mitigation: recompile kernel without CONFIG_MAILBOX_MCHP_IPC_SBI option, though this requires kernel build infrastructure and testing. For production RISC-V environments where the driver is essential, prioritize kernel upgrade within 30-day patch cycle and restrict local shell access using mandatory access control (SELinux/AppArmor) to minimize local exploit opportunities until patching completes. Vendor advisory available at https://nvd.nist.gov/vuln/detail/CVE-2026-43274.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27669 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy