CVE-2026-43197 - Vulnerability Details

- netconsole: avoid OOB reads, msg is not nul-terminated

Description

In the Linux kernel, the following vulnerability has been resolved:

netconsole: avoid OOB reads, msg is not nul-terminated

msg passed to netconsole from the console subsystem is not guaranteed
to be nul-terminated. Before recent
commit 7eab73b18630 ("netconsole: convert to NBCON console infrastructure")
the message would be placed in printk_shared_pbufs, a static global
buffer, so KASAN had harder time catching OOB accesses. Now we see:

printk: console [netcon_ext0] enabled
BUG: KASAN: slab-out-of-bounds in string+0x1f7/0x240
Read of size 1 at addr ffff88813b6d4c00 by task pr/netcon_ext0/594

CPU: 65 UID: 0 PID: 594 Comm: pr/netcon_ext0 Not tainted 6.19.0-11754-g4246fd6547c9
Call Trace:
kasan_report+0xe4/0x120
string+0x1f7/0x240
vsnprintf+0x655/0xba0
scnprintf+0xba/0x120
netconsole_write+0x3fe/0xa10
nbcon_emit_next_record+0x46e/0x860
nbcon_kthread_func+0x623/0x750

Allocated by task 1:
nbcon_alloc+0x1ea/0x450
register_console+0x26b/0xe10
init_netconsole+0xbb0/0xda0

The buggy address belongs to the object at ffff88813b6d4000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 0 bytes to the right of
allocated 3072-byte region [ffff88813b6d4000, ffff88813b6d4c00)

Published: 2026-05-06

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability occurs when messages sent from the console subsystem to the Linux kernel’s netconsole interface are not null‑terminated. The netconsole_write logic then reads beyond the allocated buffer, producing an out‑of‑bounds read that can expose arbitrary data from the kernel heap or trigger a kernel fault observed in KASAN logs. This classic buffer overread and string handling flaw is identified as CWE‑125 (Out‑of‑Bounds Read) and CWE‑170 (String Not Null-Terminated). The over‑read can lead to information disclosure or a kernel crash, affecting confidentiality and availability of the affected kernel. Based on the description, it is inferred that the likely attack vector involves injection of malformed console messages, which requires either local privileged access or remote control of the netconsole network endpoint.

Affected Systems

Affected systems are Linux kernel installations that include the netconsole restriction console infrastructure before the commit 7eab73b18630 introduced proper null termination. The advisory does not list explicit kernel versions, so any kernel that exposes netconsole without that patch meets the vulnerability criteria. The vulnerability applies to all variants that use the netconsole subsystem, regardless of distribution.

Risk and Exploitability

The CVSS score of 9.1 indicates high severity. The EPSS score of < 1% indicates a very low probability of exploitation, and the CVE is not listed in CISA KEV, suggesting limited or no publicly documented exploitation. Based on the description, it is inferred that the attack requires either local privileged access or remote administrative control over the netconsole network interface, which limits the attack surface. Nevertheless, the over‑read can lead to information disclosure or a kernel crash, which would provide a foothold for further escalation, so the overall risk is considered high for systems with exposed netconsole.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c62c0a17f9b7398022f9eebe547878033264f81f`	affected	< 3126a2f98beaec5a554a1fb31c46db1e8542665e
`c62c0a17f9b7398022f9eebe547878033264f81f`	affected	< 74ab1456eaa3b2eb986138f9e1f4cb37e73b6f58
`c62c0a17f9b7398022f9eebe547878033264f81f`	affected	< 82aec772fca2223bc5774bd9af486fd95766e578

Linux

affected

Version	Status	Constraints
`6.6`	affected	—
`0`	unaffected	< 6.6
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c62c0a17f9b7398022f9eebe547878033264f81f,3126a2f98beaec5a554a1fb31c46db1e8542665e)`	affected	code_commit	—
`[c62c0a17f9b7398022f9eebe547878033264f81f,74ab1456eaa3b2eb986138f9e1f4cb37e73b6f58)`	affected	code_commit	—
`[c62c0a17f9b7398022f9eebe547878033264f81f,82aec772fca2223bc5774bd9af486fd95766e578)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.6`	affected	semver	—
`[0,6.6)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,7.0.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that contains the commit that guarantees null‑termination for netconsole messages.
Disable the netconsole subsystem if it is not required, or remove the network console configuration to prevent exposure of the vulnerable code path.
If the kernel upgrade or disabling the subsystem is not immediately possible, restrict netconsole traffic using firewall rules or kernel netfilter to limit access to trusted sources, and monitor kernel logs for KASAN or out‑of‑bounds errors.

Generated by OpenCVE AI on May 11, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00053.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3126a2f98beaec5a554a1fb31c46db1e8542665e
https://git.kernel.org/stable/c/74ab1456eaa3b2eb986138f9e1f4cb37e73b6f58
https://git.kernel.org/stable/c/82aec772fca2223bc5774bd9af486fd95766e578
https://lore.kernel.org/linux-cve-announce/2026050644-CVE-2026-43197-37f5@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43197
https://www.cve.org/CVERecord?id=CVE-2026-43197

History

Mon, 11 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::

Fri, 08 May 2026 13:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}`

Thu, 07 May 2026 03:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-119

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-170
References		https://lore.kernel.org/linux-cve-announce/2026050644-CVE-2026-43197-37f5@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43197 https://www.cve.org/CVERecord?id=CVE-2026-43197
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 06 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netconsole: avoid OOB reads, msg is not nul-terminated msg passed to netconsole from the console subsystem is not guaranteed to be nul-terminated. Before recent commit 7eab73b18630 ("netconsole: convert to NBCON console infrastructure") the message would be placed in printk_shared_pbufs, a static global buffer, so KASAN had harder time catching OOB accesses. Now we see: printk: console [netcon_ext0] enabled BUG: KASAN: slab-out-of-bounds in string+0x1f7/0x240 Read of size 1 at addr ffff88813b6d4c00 by task pr/netcon_ext0/594 CPU: 65 UID: 0 PID: 594 Comm: pr/netcon_ext0 Not tainted 6.19.0-11754-g4246fd6547c9 Call Trace: kasan_report+0xe4/0x120 string+0x1f7/0x240 vsnprintf+0x655/0xba0 scnprintf+0xba/0x120 netconsole_write+0x3fe/0xa10 nbcon_emit_next_record+0x46e/0x860 nbcon_kthread_func+0x623/0x750 Allocated by task 1: nbcon_alloc+0x1ea/0x450 register_console+0x26b/0xe10 init_netconsole+0xbb0/0xda0 The buggy address belongs to the object at ffff88813b6d4000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 0 bytes to the right of allocated 3072-byte region [ffff88813b6d4000, ffff88813b6d4c00)
Title		netconsole: avoid OOB reads, msg is not nul-terminated
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3126a2f98beaec5a554a1fb31c46db1e8542665e https://git.kernel.org/stable/c/74ab1456eaa3b2eb986138f9e1f4cb37e73b6f58 https://git.kernel.org/stable/c/82aec772fca2223bc5774bd9af486fd95766e578

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:04.829Z

Updated: 2026-05-11T22:19:43.376Z

Reserved: 2026-05-01T14:12:55.992Z

Link: CVE-2026-43197

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:38.740

Modified: 2026-05-11T20:11:44.147

Link: CVE-2026-43197

Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43197 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-11T23:00:19Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object