Description
In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: set backing store type from query type

bnxt_hwrm_func_backing_store_qcaps_v2() stores resp->type from the
firmware response in ctxm->type and later uses that value to index
fixed backing-store metadata arrays such as ctx_arr[] and
bnxt_bstore_to_trace[].

ctxm->type is fixed by the current backing-store query type and matches
the array index of ctx->ctx_arr. Set ctxm->type from the current loop
variable instead of depending on resp->type.

Also update the loop to advance type from next_valid_type in the for
statement, which keeps the control flow simpler for non-valid and
unchanged entries.
Published: 2026-05-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel’s bnxt_en network driver, firmware responses provide a type value that is stored in a context structure and later used as an index into internal arrays such as ctx_arr[] and bnxt_bstore_to_trace[]. When the firmware supplies a type outside the valid range, the driver can index beyond the allocated bounds of these arrays, leading to kernel memory corruption. This flaw represents CWE‑823, Improper Validation or Sanitization, and could potentially allow an attacker to overwrite kernel memory or crash the system. Based on the description, it is inferred that an attacker could trigger kernel memory corruption or system crash by providing an out‑of‑range type value.

Affected Systems

The vulnerability resides in the bnxt_en driver that ships with all Linux kernel releases containing the affected code. The CPE list references kernel 7.0 release candidates through 7.0 rc6, but the patch commit appears in earlier stable releases as well, meaning any kernel that has not yet incorporated the fix—across distributions and custom builds—is at risk.

Risk and Exploitability

The CVSS score of 5.5 denotes moderate severity, while the EPSS score of less than 1 % indicates a very low observed exploitation probability. The flaw is not listed in the CISA KEV catalog. Attacking this vulnerability would require influencing firmware responses, a condition that normally necessitates local or privileged access. The likely attack vector is the ability to manipulate firmware responses, which typically requires local or privileged access. Based on the EPSS score, it is inferred that exploitation attempts are unlikely at this time. Without publicly available exploits, the current risk remains moderate pending further evidence.

Generated by OpenCVE AI on May 8, 2026 at 23:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that includes the bnxt_en patch commit, such as the latest stable distribution package or a manually patched kernel source.
  • If an immediate kernel update is not possible, unload the bnxt_en kernel module or disable the affected network interface to mitigate exposure until a fix can be applied.
  • For custom kernel builds, recompile the kernel with the updated bnxt_en source that performs proper index validation.

Generated by OpenCVE AI on May 8, 2026 at 23:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787

Fri, 08 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-823
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 01 May 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bnxt_en: set backing store type from query type bnxt_hwrm_func_backing_store_qcaps_v2() stores resp->type from the firmware response in ctxm->type and later uses that value to index fixed backing-store metadata arrays such as ctx_arr[] and bnxt_bstore_to_trace[]. ctxm->type is fixed by the current backing-store query type and matches the array index of ctx->ctx_arr. Set ctxm->type from the current loop variable instead of depending on resp->type. Also update the loop to advance type from next_valid_type in the for statement, which keeps the control flow simpler for non-valid and unchanged entries.
Title bnxt_en: set backing store type from query type
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:16:26.338Z

Reserved: 2026-05-01T14:12:55.977Z

Link: CVE-2026-43034

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:48.037

Modified: 2026-05-08T18:41:52.870

Link: CVE-2026-43034

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43034 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T00:00:25Z

Weaknesses