CVE-2026-43129 - Vulnerability Details

- ima: verify the previous kernel's IMA buffer lies in addressable RAM

Description

In the Linux kernel, the following vulnerability has been resolved:

ima: verify the previous kernel's IMA buffer lies in addressable RAM

Patch series "Address page fault in ima_restore_measurement_list()", v3.

When the second-stage kernel is booted via kexec with a limiting command
line such as "mem=<size>" we observe a pafe fault that happens.

BUG: unable to handle page fault for address: ffff97793ff47000
RIP: ima_restore_measurement_list+0xdc/0x45a
#PF: error_code(0x0000) not-present page

This happens on x86_64 only, as this is already fixed in aarch64 in
commit: cbf9c4b9617b ("of: check previous kernel's ima-kexec-buffer
against memory bounds")

This patch (of 3):

When the second-stage kernel is booted with a limiting command line (e.g.
"mem=<size>"), the IMA measurement buffer handed over from the previous
kernel may fall outside the addressable RAM of the new kernel. Accessing
such a buffer can fault during early restore.

Introduce a small generic helper, ima_validate_range(), which verifies
that a physical [start, end] range for the previous-kernel IMA buffer lies
within addressable memory:
- On x86, use pfn_range_is_mapped().
- On OF based architectures, use page_is_ram().

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

When the second‑stage kernel is launched using kexec with a memory limiting argument like "mem=<size>", the IMA measurement buffer supplied from the previous kernel can lie outside the addressable RAM of the new kernel. Accessing such a buffer triggers a page fault during the early restore phase, causing a kernel panic. This manifests as a buffer‑over‑read fault that leads to a denial of service for the entire system.

Affected Systems

The bug is present in the IMA subsystem of the Linux kernel on x86_64 processors. It is fixed in aarch64 by commit cbf9c4b9, but the problem remains in all x86_64 kernels that do not yet include the patch from the third commit of the series (introducing ima_validate_range()). Affected kernels are those prior to the inclusion of this helper in the mainline.

Risk and Exploitability

There is no EPSS data and the vulnerability is not listed in CISA KEV. The flaw results in a critical denial of service through an unhandled page fault. Exploitation requires the attacker to control or influence the kexec boot process, which is typically limited to privileged or local users. While the probability of exploitation is low under normal operation, it is potentially high if an attacker can insert a crafted mem= parameter or otherwise trigger kexec on a vulnerable kernel.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< f11d7d088f5ed54b31c6735854c12845eb60eb4a
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 9e1f51c1ad57cc76a0e8b5eb27038f8973fff4fa
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 5366ec7d2f793ce703c403d7fd4c25a3db365b9d
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 10d1c75ed4382a8e79874379caa2ead8952734f9

Linux

affected

Version	Status	Constraints
`6.12.77`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f11d7d088f5ed54b31c6735854c12845eb60eb4a)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9e1f51c1ad57cc76a0e8b5eb27038f8973fff4fa)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,5366ec7d2f793ce703c403d7fd4c25a3db365b9d)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,10d1c75ed4382a8e79874379caa2ead8952734f9)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.12.77,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that provides the patch series "Address page fault in ima_restore_measurement_list()", v3, which validates the IMA buffer range
Reconfigure kexec to omit or correctly set the mem= parameter so that the second‑stage kernel maps sufficient RAM for the IMA buffer
Enable early kernel logging or debug output to detect unexpected page faults during IMA restoration

Generated by OpenCVE AI on May 6, 2026 at 13:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/10d1c75ed4382a8e79874379caa2ead8952734f9
https://git.kernel.org/stable/c/5366ec7d2f793ce703c403d7fd4c25a3db365b9d
https://git.kernel.org/stable/c/9e1f51c1ad57cc76a0e8b5eb27038f8973fff4fa
https://git.kernel.org/stable/c/f11d7d088f5ed54b31c6735854c12845eb60eb4a

History

Wed, 06 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ima: verify the previous kernel's IMA buffer lies in addressable RAM Patch series "Address page fault in ima_restore_measurement_list()", v3. When the second-stage kernel is booted via kexec with a limiting command line such as "mem=<size>" we observe a pafe fault that happens. BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) not-present page This happens on x86_64 only, as this is already fixed in aarch64 in commit: cbf9c4b9617b ("of: check previous kernel's ima-kexec-buffer against memory bounds") This patch (of 3): When the second-stage kernel is booted with a limiting command line (e.g. "mem=<size>"), the IMA measurement buffer handed over from the previous kernel may fall outside the addressable RAM of the new kernel. Accessing such a buffer can fault during early restore. Introduce a small generic helper, ima_validate_range(), which verifies that a physical [start, end] range for the previous-kernel IMA buffer lies within addressable memory: - On x86, use pfn_range_is_mapped(). - On OF based architectures, use page_is_ram().
Title		ima: verify the previous kernel's IMA buffer lies in addressable RAM
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/10d1c75ed4382a8e79874379caa2ead8952734f9 https://git.kernel.org/stable/c/5366ec7d2f793ce703c403d7fd4c25a3db365b9d https://git.kernel.org/stable/c/9e1f51c1ad57cc76a0e8b5eb27038f8973fff4fa https://git.kernel.org/stable/c/f11d7d088f5ed54b31c6735854c12845eb60eb4a

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:18.180Z

Updated: 2026-05-06T11:27:18.180Z

Reserved: 2026-05-01T14:12:55.988Z

Link: CVE-2026-43129

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:29.963

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43129

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T14:00:05Z

Weaknesses

CWE-119

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object