Description
In the Linux kernel, the following vulnerability has been resolved:

dcache: Limit the minimal number of bucket to two

There is an OOB read problem on dentry_hashtable when user sets
'dhash_entries=1':
BUG: unable to handle page fault for address: ffff888b30b774b0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
Oops: Oops: 0000 [#1] SMP PTI
RIP: 0010:__d_lookup+0x56/0x120
Call Trace:
d_lookup.cold+0x16/0x5d
lookup_dcache+0x27/0xf0
lookup_one_qstr_excl+0x2a/0x180
start_dirop+0x55/0xa0
simple_start_creating+0x8d/0xa0
debugfs_start_creating+0x8c/0x180
debugfs_create_dir+0x1d/0x1c0
pinctrl_init+0x6d/0x140
do_one_initcall+0x6d/0x3d0
kernel_init_freeable+0x39f/0x460
kernel_init+0x2a/0x260

There will be only one bucket in dentry_hashtable when dhash_entries is
set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then,
following process will access more than one buckets(which memory region
is not allocated) in dentry_hashtable:
d_lookup
b = d_hash(hash)
dentry_hashtable + ((u32)hashlen >> d_hash_shift)
// The C standard defines the behavior of right shift amounts
// exceeding the bit width of the operand as undefined. The
// result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',
// so 'b' will point to an unallocated memory region.
hlist_bl_for_each_entry_rcu(b)
hlist_bl_first_rcu(head)
h->first // read OOB!

Fix it by limiting the minimal number of dentry_hashtable bucket to two,
so that 'd_hash_shift' won't exceeds the bit width of type u32.
Published: 2026-05-05
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when the kernel’s dentry cache hash table is forced to use only one bucket by setting the sysctl parameter dhash_entries to 1. The hash shift value computed by dcache_init then becomes larger than the bit width of a 32‑bit integer, causing the lookup procedure to calculate an array index that points outside the allocated bucket array. This out‑of‑bounds read occurs during a hash bucket scan and triggers a supervisor page fault, resulting in a kernel OOPS. The crash can destabilize the system and may be exploitable if an attacker can influence the parameter or trigger the lookup path, but no clear exploit path is described in the provided information.

Affected Systems

All Linux kernel versions that allow sysctl dhash_entries to be set to 1 are affected. No specific kernel releases are listed, so any distribution using a kernel before the patch that limits the minimal number of hash buckets to two remains vulnerable.

Risk and Exploitability

The CVSS score is 9.1, and the EPSS score is less than 1%.

Generated by OpenCVE AI on May 8, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that limits dentry_hashtable buckets to at least two, which removes the out-of-bounds read path.
  • If a kernel update is not immediately possible, configure the system to disallow the use of a single dentry hashtable bucket by setting the sysctl dhash_entries to 2 or higher, thereby preventing the unsafe hash shift calculation.
  • Monitor kernel logs for OOPS incidents or fatal errors relating to d_lookup; if such events occur, investigate whether the sysctl parameter or the kernel configuration may have been changed to an unsafe value.

Generated by OpenCVE AI on May 8, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:3.17:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.17:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.17:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.17:rc7:*:*:*:*:*:*

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Wed, 06 May 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-823
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 05 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: dcache: Limit the minimal number of bucket to two There is an OOB read problem on dentry_hashtable when user sets 'dhash_entries=1': BUG: unable to handle page fault for address: ffff888b30b774b0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: Oops: 0000 [#1] SMP PTI RIP: 0010:__d_lookup+0x56/0x120 Call Trace: d_lookup.cold+0x16/0x5d lookup_dcache+0x27/0xf0 lookup_one_qstr_excl+0x2a/0x180 start_dirop+0x55/0xa0 simple_start_creating+0x8d/0xa0 debugfs_start_creating+0x8c/0x180 debugfs_create_dir+0x1d/0x1c0 pinctrl_init+0x6d/0x140 do_one_initcall+0x6d/0x3d0 kernel_init_freeable+0x39f/0x460 kernel_init+0x2a/0x260 There will be only one bucket in dentry_hashtable when dhash_entries is set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then, following process will access more than one buckets(which memory region is not allocated) in dentry_hashtable: d_lookup b = d_hash(hash) dentry_hashtable + ((u32)hashlen >> d_hash_shift) // The C standard defines the behavior of right shift amounts // exceeding the bit width of the operand as undefined. The // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen', // so 'b' will point to an unallocated memory region. hlist_bl_for_each_entry_rcu(b) hlist_bl_first_rcu(head) h->first // read OOB! Fix it by limiting the minimal number of dentry_hashtable bucket to two, so that 'd_hash_shift' won't exceeds the bit width of type u32.
Title dcache: Limit the minimal number of bucket to two
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:06:14.167Z

Reserved: 2026-05-01T14:12:55.982Z

Link: CVE-2026-43071

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T16:16:16.420

Modified: 2026-05-29T17:57:44.603

Link: CVE-2026-43071

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-05T00:00:00Z

Links: CVE-2026-43071 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T15:30:05Z

Weaknesses