Skip to main content

Linux Kernel EUVDEUVD-2026-27809

| CVE-2026-43248 HIGH
Out-of-bounds Write (CWE-787)
2026-05-06 Linux GHSA-xpcf-mwvf-62v9
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:42 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

vhost: move vdpa group bound check to vhost_vdpa

Remove duplication by consolidating these here. This reduces the posibility of a parent driver missing them.

While we're at it, fix a bug in vdpa_sim where a valid ASID can be assigned to a group equal to ngroups, causing an out of bound write.

AnalysisAI

Out-of-bounds write in Linux kernel vhost_vdpa subsystem allows local authenticated users to achieve arbitrary kernel memory corruption via ASID group assignment. Affects Linux kernel versions 5.19 through 6.19.x, with vendor patches available for stable branches 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. Exploitation requires local access with low privileges but no user interaction (CVSS:3.1/AV:L/AC:L/PR:L/UI:N). EPSS score of 0.02% (5th percentile) indicates low predicted exploitation probability, and no public exploit code or active exploitation confirmed at time of analysis.

Technical ContextAI

The vulnerability exists in the Linux kernel's vhost subsystem, specifically in the vDPA (virtio Data Path Acceleration) driver framework used for hardware-accelerated virtio device emulation. The vdpa_sim simulator component contains a bounds checking flaw where Address Space Identifier (ASID) group validation was improperly delegated to parent drivers rather than centralized in vhost_vdpa. The bug allows assignment of a valid ASID to a group index equal to ngroups (the maximum group count), which in C array indexing results in accessing one element beyond the allocated array boundary. This out-of-bounds write occurs in kernel memory space during vDPA group configuration operations. The affected CPE cpe:2.3:a:linux:linux confirms impact across multiple kernel versions starting from the introduction of vDPA group management in commit bda324fd037a6b0d44da5699574ce741ca161bc4 (kernel 5.19+).

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.75+ for 6.12.x series, 6.18.16+ for 6.18.x series, 6.19.6+ for 6.19.x series, or 7.0+ for mainline. Vendor patches consolidate ASID group bounds checking in vhost_vdpa core (commits linked at https://git.kernel.org/stable/c/ddb57354634b6ba851b79da45f1de42c646f27d0 and related stable branches). If immediate patching is not feasible, disable vDPA device support by blacklisting vhost_vdpa and vdpa_sim kernel modules (modprobe.d blacklist), though this eliminates hardware-accelerated virtio functionality for VMs and may degrade performance in virtualization workloads. For high-security environments, restrict access to /dev/vhost-vdpa* device nodes using udev rules to trusted virtualization management processes only, reducing local attacker surface. Compensating controls trade virtualization performance (vDPA disablement) or operational flexibility (device access restrictions) for security. Patching remains the only complete remediation without functional trade-offs.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27809 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy