Skip to main content

Linux Kernel EUVDEUVD-2026-27769

| CVE-2026-43210 MEDIUM
2026-05-06 Linux GHSA-f9ff-3974-gp4h
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 11, 2026 - 20:07 vuln.today
CVSS changed
May 11, 2026 - 20:07 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

tracing: ring-buffer: Fix to check event length before using

Check the event length before adding it for accessing next index in rb_read_data_buffer(). Since this function is used for validating possibly broken ring buffers, the length of the event could be broken. In that case, the new event (e + len) can point a wrong address. To avoid invalid memory access at boot, check whether the length of each event is in the possible range before using it.

AnalysisAI

Local denial of service in Linux kernel ring-buffer tracing code allows authenticated local users to crash the system by triggering invalid memory access through malformed event length fields. The vulnerability exists in rb_read_data_buffer(), which validates possibly corrupted ring buffers at boot but fails to verify event lengths are within acceptable ranges before calculating buffer offsets. EPSS exploitation probability is very low at 0.02%, and no public exploit code or active exploitation has been identified.

Technical ContextAI

The Linux kernel's ring-buffer tracing subsystem uses rb_read_data_buffer() to validate and recover from potentially corrupted ring buffers, particularly during boot initialization. The vulnerability resides in the kernel's tracing infrastructure (likely in kernel/trace/ring_buffer.c). When processing events from a ring buffer, the function calculates the address of the next event by adding the current event's length to the current event pointer (e + len). If an event's length field is corrupted or maliciously malformed, this pointer arithmetic can reference invalid kernel memory, resulting in out-of-bounds access. The CWE classification is not provided, but the root cause is improper input validation (bounds checking) on untrusted event length metadata before use in pointer calculation. This is a local vector vulnerability requiring authenticated user privileges and logical CPU access.

RemediationAI

Update Linux kernel to a patched version: 6.12.75, 6.18.16, 6.19.6, or 7.0 or later, depending on your current branch. Kernel patches are available from git.kernel.org/stable at commits b4700c089a10f89de3a5149d57f8a58306458982, 5026010110a5ad2268d8c23e1e286ab7c736f7ac, 9eb80e54494ef1efef8a64bec4ffa672c9cf411e, and 912b0ee248c529a4f45d1e7f568dc1adddbf2a4a corresponding to different stable branches. No workarounds are available without patching; the fix is an input validation check (bounds verification of event length fields) within the rb_read_data_buffer() function, essential to prevent out-of-bounds access during ring-buffer recovery. If immediate patching is not possible, restrict tracing functionality and disable ring-buffer validation on untrusted data, though this reduces kernel observability and is not recommended as a long-term mitigation.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27769 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy