Skip to main content

Linux Kernel EUVDEUVD-2026-28559

| CVE-2026-43289 MEDIUM
2026-05-08 Linux GHSA-3xcp-xr96-v535
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 19:01 vuln.today
CVSS changed
May 15, 2026 - 16:37 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 14:02 EUVD
CVE Published
May 08, 2026 - 13:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

kexec: derive purgatory entry from symbol

kexec_load_purgatory() derives image->start by locating e_entry inside an SHF_EXECINSTR section. If the purgatory object contains multiple executable sections with overlapping sh_addr, the entrypoint check can match more than once and trigger a WARN.

Derive the entry section from the purgatory_start symbol when present and compute image->start from its final placement. Keep the existing e_entry fallback for purgatories that do not expose the symbol.

WARNING: kernel/kexec_file.c:1009 at kexec_load_purgatory+0x395/0x3c0, CPU#10: kexec/1784 Call Trace: <TASK> bzImage64_load+0x133/0xa00 __do_sys_kexec_file_load+0x2b3/0x5c0 do_syscall_64+0x81/0x610 entry_SYSCALL_64_after_hwframe+0x76/0x7e

[me@linux.beauty: move helper to avoid forward declaration, per Baoquan]

AnalysisAI

Local denial of service in Linux kernel's kexec subsystem allows authenticated attackers to trigger kernel warning and system instability. The kexec_load_purgatory() function incorrectly derives the purgatory entry point when multiple executable sections have overlapping sh_addr values, causing a WARN condition that disrupts kexec operations. With CVSS 5.5 (AV:L/AC:L/PR:L/UI:N) and EPSS at 0.02%, this represents low real-world exploitation risk. Patches available across multiple stable kernel versions including 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, and 6.19.6.

Technical ContextAI

The vulnerability resides in kernel/kexec_file.c within the Linux kernel's kexec subsystem, which enables loading and executing a new kernel from the currently running kernel. The kexec_load_purgatory() function is responsible for loading the purgatory code-a small intermediary program that runs between the old and new kernels during a kexec transition. The function derives the entry point (image->start) by locating e_entry inside SHF_EXECINSTR (executable) sections. When the purgatory ELF object contains multiple executable sections with overlapping sh_addr (section addresses), the entry point validation logic can match multiple times, triggering a WARN at kernel/kexec_file.c:1009. The patch resolves this by deriving the entry section from the purgatory_start symbol when present, computing image->start from its final placement, while maintaining e_entry fallback for older purgatory binaries. Affected CPE indicates broad Linux kernel impact: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade to patched Linux kernel versions: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, or mainline 7.0 and later. Patch commits available at https://git.kernel.org/stable/c/027797595a108726f4a0a45d225f603b0ffbd22b (one branch), https://git.kernel.org/stable/c/1737d37ae1d2814e6cf0a1af87af3d41f0812b95, https://git.kernel.org/stable/c/f736032c638a33a243e9126e617788f763d648f9, https://git.kernel.org/stable/c/cfccd3b8c51bc57a8a6fcb2fd30453afae5bc0d2, https://git.kernel.org/stable/c/875355152b33436907c2a6d2ffad1431fa86c62b, https://git.kernel.org/stable/c/36eb314184a0ae74dd42914b47d2b9fc43be8034, https://git.kernel.org/stable/c/5226570bd252cea2e805a161cb0f75c204c3108a, and https://git.kernel.org/stable/c/480e1d5c64bb14441f79f2eb9421d5e26f91ea3d for various stable branches. Compensating control: restrict access to CAP_SYS_BOOT capability required for kexec_file_load syscall through LSM policies (SELinux, AppArmor) or seccomp filters, limiting kexec operations to trusted administrative processes only-this prevents unprivileged local users from triggering the vulnerability but impacts legitimate kexec/kdump functionality for restricted users. Organizations not using kexec for fast reboots or crash dumps can disable CONFIG_KEXEC_FILE at kernel build time, eliminating the attack surface entirely but removing kdump capabilities.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28559 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy