Skip to main content

Linux Kernel EUVDEUVD-2026-27760

| CVE-2026-43201 MEDIUM
2026-05-06 Linux GHSA-2439-4xrr-7j2r
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 11, 2026 - 20:22 vuln.today
CVSS changed
May 11, 2026 - 20:22 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

APEI/GHES: ARM processor Error: don't go past allocated memory

If the BIOS generates a very small ARM Processor Error, or an incomplete one, the current logic will fail to deferrence

err->section_length and ctx_info->size

Add checks to avoid that. With such changes, such GHESv2 records won't cause OOPSes like this:

[ 1.492129] Internal error: Oops: 0000000096000005 [#1] SMP [ 1.495449] Modules linked in: [ 1.495820] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.18.0-rc1-00017-gabadcc3553dd-dirty #18 PREEMPT [ 1.496125] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022 [ 1.496433] Workqueue: kacpi_notify acpi_os_execute_deferred [ 1.496967] pstate: 814000c5 (Nzcv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1.497199] pc : log_arm_hw_error+0x5c/0x200 [ 1.497380] lr : ghes_handle_arm_hw_error+0x94/0x220

0xffff8000811c5324 is in log_arm_hw_error (../drivers/ras/ras.c:75). 70 err_info = (struct cper_arm_err_info *)(err + 1); 71 ctx_info = (struct cper_arm_ctx_info *)(err_info + err->err_info_num); 72 ctx_err = (u8 *)ctx_info; 73 74 for (n = 0; n < err->context_info_num; n++) { 75 sz = sizeof(struct cper_arm_ctx_info) + ctx_info->size; 76 ctx_info = (struct cper_arm_ctx_info *)((long)ctx_info + sz); 77 ctx_len += sz; 78 } 79

and similar ones while trying to access section_length on an error dump with too small size.

[ rjw: Subject tweaks ]

AnalysisAI

Denial of service in Linux kernel APEI/GHES ARM processor error handling allows local authenticated attackers to trigger kernel oops by crafting malformed ARM Processor Error records with incomplete or oversized section data, causing out-of-bounds memory dereference. CVSS 5.5 (local, low complexity, authenticated, availability impact only) with EPSS 0.02% indicates low real-world exploitation probability despite public patch availability.

Technical ContextAI

The vulnerability exists in the APEI (ACPI Platform Error Interface) and GHES (Generic Hardware Error Source) subsystem, specifically in drivers/ras/ras.c function log_arm_hw_error(). The code attempts to iterate through ARM Processor Error context information structures without validating that the total error section size accommodates the declared context info count and individual context info sizes. When BIOS provides a malformed ARM Processor Error record via GHES with declared context_info_num values that exceed the actual allocated section_length, pointer arithmetic in lines 75-76 dereferences memory beyond the allocated error section, triggering kernel oops. The CWE classification is not explicitly provided but this represents a classic out-of-bounds read/write vulnerability in kernel memory error handling.

RemediationAI

Update Linux kernel to patched versions: 6.12.75 or later, 6.18.16 or later, 6.19.6 or later, or 7.0 and later. Fixes are available from kernel.org stable releases at https://git.kernel.org/stable/c/242c652849d979d0133c315a42d9acea0ff88390 and related commit links provided in references. For systems unable to immediately patch, restrict administrative/root access to firmware error injection mechanisms and monitor system logs for kernel oops messages indicating APEI/GHES processing failures (kernel panic in log_arm_hw_error or ghes_handle_arm_hw_error). No functional workaround exists without patching; the vulnerability can only be triggered by malformed ACPI firmware data or deliberate GHES manipulation, so systems with stable/trustworthy BIOS implementations have lower practical risk. Patching is strongly recommended for ARM-based systems (QEMU VMs, ARM servers) that rely on APEI/GHES for hardware error logging.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27760 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy