CVE-2026-43071 - Vulnerability Details

- dcache: Limit the minimal number of bucket to two

Description

In the Linux kernel, the following vulnerability has been resolved:

dcache: Limit the minimal number of bucket to two

There is an OOB read problem on dentry_hashtable when user sets
'dhash_entries=1':
BUG: unable to handle page fault for address: ffff888b30b774b0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
Oops: Oops: 0000 [#1] SMP PTI
RIP: 0010:__d_lookup+0x56/0x120
Call Trace:
d_lookup.cold+0x16/0x5d
lookup_dcache+0x27/0xf0
lookup_one_qstr_excl+0x2a/0x180
start_dirop+0x55/0xa0
simple_start_creating+0x8d/0xa0
debugfs_start_creating+0x8c/0x180
debugfs_create_dir+0x1d/0x1c0
pinctrl_init+0x6d/0x140
do_one_initcall+0x6d/0x3d0
kernel_init_freeable+0x39f/0x460
kernel_init+0x2a/0x260

There will be only one bucket in dentry_hashtable when dhash_entries is
set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then,
following process will access more than one buckets(which memory region
is not allocated) in dentry_hashtable:
d_lookup
b = d_hash(hash)
dentry_hashtable + ((u32)hashlen >> d_hash_shift)
// The C standard defines the behavior of right shift amounts
// exceeding the bit width of the operand as undefined. The
// result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',
// so 'b' will point to an unallocated memory region.
hlist_bl_for_each_entry_rcu(b)
hlist_bl_first_rcu(head)
h->first // read OOB!

Fix it by limiting the minimal number of dentry_hashtable bucket to two,
so that 'd_hash_shift' won't exceeds the bit width of type u32.

Published: 2026-05-05

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability occurs when the kernel’s dentry cache hash table is forced to use only one bucket by setting the sysctl parameter dhash_entries to 1. The hash shift value computed by dcache_init then becomes larger than the bit width of a 32‑bit integer, causing the lookup procedure to calculate an array index that points outside the allocated bucket array. This out‑of‑bounds read occurs during a hash bucket scan and triggers a supervisor page fault, resulting in a kernel OOPS. The crash can destabilize the system and may be exploitable if an attacker can influence the parameter or trigger the lookup path, but no clear exploit path is described in the provided information.

Affected Systems

All Linux kernel versions that allow sysctl dhash_entries to be set to 1 are affected. No specific kernel releases are listed, so any distribution using a kernel before the patch that limits the minimal number of hash buckets to two remains vulnerable.

Risk and Exploitability

The CVSS score is not provided, and the EPSS score is not available. The vulnerability is listed in CISA KEV as not present. Because the exploit requires kernel parameter manipulation and a non‑trivial path to trigger the out‑of‑bounds read, the current risk is uncertain, but a crash is guaranteed if the conditions are met.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 426ef05e82ee52c8d0e95fc0808b7383d8352d73
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< ddd57ebce245f9c7e2f6902a6c087d6186d2385d
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 755b40903eff563768d4d96fd4ef51ec48adde3b
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 5718df131ab78897a9dd1f2e71c3ba732d4392af
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 277cedabb0ab86baae83fa58218be13c6d3e5526
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< f08fe8891c3eeb63b73f9f1f6d97aa629c821579

Linux

affected

Version	Status	Constraints
`6.6.136`	unaffected	≤ 6.6.*
`6.12.83`	unaffected	≤ 6.12.*
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0.1`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,426ef05e82ee52c8d0e95fc0808b7383d8352d73)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ddd57ebce245f9c7e2f6902a6c087d6186d2385d)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,755b40903eff563768d4d96fd4ef51ec48adde3b)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,5718df131ab78897a9dd1f2e71c3ba732d4392af)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,277cedabb0ab86baae83fa58218be13c6d3e5526)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f08fe8891c3eeb63b73f9f1f6d97aa629c821579)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.6.136,6.7.0)`	unaffected	semver	—
`[6.12.83,6.13.0)`	unaffected	semver	—
`[6.18.24,6.19.0)`	unaffected	semver	—
`[6.19.14,6.20.0)`	unaffected	semver	—
`[7.0.1,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that limits dentry_hashtable buckets to at least two, which removes the out-of-bounds read path.
If a kernel update is not immediately possible, configure the system to disallow the use of a single dentry hashtable bucket by setting the sysctl dhash_entries to 2 or higher, thereby preventing the unsafe hash shift calculation.
Monitor kernel logs for OOPS incidents or fatal errors relating to d_lookup; if such events occur, investigate whether the sysctl parameter or the kernel configuration may have been changed to an unsafe value.

Generated by OpenCVE AI on May 5, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/277cedabb0ab86baae83fa58218be13c6d3e5526
https://git.kernel.org/stable/c/426ef05e82ee52c8d0e95fc0808b7383d8352d73
https://git.kernel.org/stable/c/5718df131ab78897a9dd1f2e71c3ba732d4392af
https://git.kernel.org/stable/c/755b40903eff563768d4d96fd4ef51ec48adde3b
https://git.kernel.org/stable/c/ddd57ebce245f9c7e2f6902a6c087d6186d2385d
https://git.kernel.org/stable/c/f08fe8891c3eeb63b73f9f1f6d97aa629c821579

History

Tue, 05 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-20

Tue, 05 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: dcache: Limit the minimal number of bucket to two There is an OOB read problem on dentry_hashtable when user sets 'dhash_entries=1': BUG: unable to handle page fault for address: ffff888b30b774b0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: Oops: 0000 [#1] SMP PTI RIP: 0010:__d_lookup+0x56/0x120 Call Trace: d_lookup.cold+0x16/0x5d lookup_dcache+0x27/0xf0 lookup_one_qstr_excl+0x2a/0x180 start_dirop+0x55/0xa0 simple_start_creating+0x8d/0xa0 debugfs_start_creating+0x8c/0x180 debugfs_create_dir+0x1d/0x1c0 pinctrl_init+0x6d/0x140 do_one_initcall+0x6d/0x3d0 kernel_init_freeable+0x39f/0x460 kernel_init+0x2a/0x260 There will be only one bucket in dentry_hashtable when dhash_entries is set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then, following process will access more than one buckets(which memory region is not allocated) in dentry_hashtable: d_lookup b = d_hash(hash) dentry_hashtable + ((u32)hashlen >> d_hash_shift) // The C standard defines the behavior of right shift amounts // exceeding the bit width of the operand as undefined. The // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen', // so 'b' will point to an unallocated memory region. hlist_bl_for_each_entry_rcu(b) hlist_bl_first_rcu(head) h->first // read OOB! Fix it by limiting the minimal number of dentry_hashtable bucket to two, so that 'd_hash_shift' won't exceeds the bit width of type u32.
Title		dcache: Limit the minimal number of bucket to two
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/277cedabb0ab86baae83fa58218be13c6d3e5526 https://git.kernel.org/stable/c/426ef05e82ee52c8d0e95fc0808b7383d8352d73 https://git.kernel.org/stable/c/5718df131ab78897a9dd1f2e71c3ba732d4392af https://git.kernel.org/stable/c/755b40903eff563768d4d96fd4ef51ec48adde3b https://git.kernel.org/stable/c/ddd57ebce245f9c7e2f6902a6c087d6186d2385d https://git.kernel.org/stable/c/f08fe8891c3eeb63b73f9f1f6d97aa629c821579

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-05T15:29:28.081Z

Updated: 2026-05-05T15:29:28.081Z

Reserved: 2026-05-01T14:12:55.982Z

Link: CVE-2026-43071

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-05T16:16:16.420

Modified: 2026-05-05T16:16:16.420

Link: CVE-2026-43071

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-05T19:00:11Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object