Skip to main content

Linux Kernel EUVDEUVD-2026-27804

| CVE-2026-43241 HIGH
Out-of-bounds Read (CWE-125)
2026-05-06 Linux GHSA-c449-x267-6vp6
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 11, 2026 - 14:37 vuln.today
CVSS changed
May 11, 2026 - 14:37 NVD
7.1 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ntb: ntb_hw_switchtec: Fix array-index-out-of-bounds access

Number of MW LUTs depends on NTB configuration and can be set to MAX_MWS, This patch protects against invalid index out of bounds access to mw_sizes When invalid access print message to user that configuration is not valid.

AnalysisAI

Out-of-bounds array access in the Linux kernel's NTB Switchtec hardware driver allows authenticated local users with low privileges to read sensitive kernel memory or trigger denial of service. The vulnerability affects the mw_sizes array when NTB (Non-Transparent Bridge) configurations set memory window LUTs to MAX_MWS, enabling access beyond array boundaries. Exploitation probability is low (EPSS 0.02%, 7th percentile) with no confirmed active exploitation or public POC. Vendor patches are available across all affected stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0).

Technical ContextAI

The vulnerability resides in the ntb_hw_switchtec driver (drivers/ntb/hw/mscc/ntb_hw_switchtec.c), part of the Linux kernel's Non-Transparent Bridge subsystem. NTB technology enables direct memory access between separate systems or PCIe domains. The Switchtec implementation manages Memory Window (MW) Lookup Tables whose count varies based on hardware configuration. When configurations specify MAX_MWS memory windows, the driver fails to validate array indices before accessing the mw_sizes array, resulting in CWE-125 (Out-of-bounds Read). This classic buffer over-read can expose adjacent kernel memory contents or cause kernel panics if invalid memory is accessed. The CVSS vector (AV:L/AC:L/PR:L) indicates local attack surface with low complexity, while S:U (unchanged scope) confirms the vulnerability remains contained within the kernel context.

RemediationAI

Upgrade to patched Linux kernel versions appropriate for your kernel branch: 5.10.252 or later for 5.10.x series, 5.15.202+ for 5.15.x, 6.1.165+ for 6.1.x, 6.6.128+ for 6.6.x, 6.12.75+ for 6.12.x, 6.18.16+ for 6.18.x, 6.19.6+ for 6.19.x, or upgrade to mainline kernel 7.0 or later. Patches available from kernel.org stable trees (https://git.kernel.org/stable/) with specific commits identified in references. For systems unable to immediately patch, implement compensating controls: unload the ntb_hw_switchtec kernel module if NTB functionality is not required (modprobe -r ntb_hw_switchtec), configure NTB with fewer than MAX_MWS memory windows if operationally feasible, or restrict local user access to systems with Switchtec hardware through stricter authentication policies and user privilege reduction. Note that disabling the driver eliminates NTB functionality entirely, impacting inter-system memory access for clustered applications. Validate NTB configuration post-patching to ensure memory window settings remain within supported bounds. Systems without Switchtec hardware can deprioritize this update in favor of higher-risk vulnerabilities.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27804 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy