CVE-2026-43197 - Vulnerability Details

- netconsole: avoid OOB reads, msg is not nul-terminated

Description

In the Linux kernel, the following vulnerability has been resolved:

netconsole: avoid OOB reads, msg is not nul-terminated

msg passed to netconsole from the console subsystem is not guaranteed
to be nul-terminated. Before recent
commit 7eab73b18630 ("netconsole: convert to NBCON console infrastructure")
the message would be placed in printk_shared_pbufs, a static global
buffer, so KASAN had harder time catching OOB accesses. Now we see:

printk: console [netcon_ext0] enabled
BUG: KASAN: slab-out-of-bounds in string+0x1f7/0x240
Read of size 1 at addr ffff88813b6d4c00 by task pr/netcon_ext0/594

CPU: 65 UID: 0 PID: 594 Comm: pr/netcon_ext0 Not tainted 6.19.0-11754-g4246fd6547c9
Call Trace:
kasan_report+0xe4/0x120
string+0x1f7/0x240
vsnprintf+0x655/0xba0
scnprintf+0xba/0x120
netconsole_write+0x3fe/0xa10
nbcon_emit_next_record+0x46e/0x860
nbcon_kthread_func+0x623/0x750

Allocated by task 1:
nbcon_alloc+0x1ea/0x450
register_console+0x26b/0xe10
init_netconsole+0xbb0/0xda0

The buggy address belongs to the object at ffff88813b6d4000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 0 bytes to the right of
allocated 3072-byte region [ffff88813b6d4000, ffff88813b6d4c00)

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an attacker to trigger an out‑of‑bounds read in the Linux kernel's netconsole subsystem when a non‑null‑terminated message is processed. The read can expose arbitrary bytes from the kernel heap, potentially leaking sensitive data or enabling further exploitation. The issue is classified as a Buffer Overread (CWE‑119) and can cause kernel crashes observed in KASAN traces.

Affected Systems

Affected systems are Linux kernel installations that include the netconsole feature prior to the patch implementing commit 7eab73b18630. The vulnerability is present in any kernel version that exposes the netconsole console infrastructure without enforcing null termination on messages. The specific versions impacted are not enumerated in the advisory, but all kernels before the fix are potentially vulnerable.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating limited public exploitation evidence. However, the exploit requires either local privileged access or remote control of the netconsole interface, making it a moderate to high risk for systems that expose netconsole to untrusted networks. The KASAN log shows that the read occurs within the netconsole_write routine, which is executed when console data is transmitted to the network, so protective measures that restrict console access can reduce the attack surface.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c62c0a17f9b7398022f9eebe547878033264f81f`	affected	< 3126a2f98beaec5a554a1fb31c46db1e8542665e
`c62c0a17f9b7398022f9eebe547878033264f81f`	affected	< 74ab1456eaa3b2eb986138f9e1f4cb37e73b6f58
`c62c0a17f9b7398022f9eebe547878033264f81f`	affected	< 82aec772fca2223bc5774bd9af486fd95766e578

Linux

affected

Version	Status	Constraints
`6.6`	affected	—
`0`	unaffected	< 6.6
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c62c0a17f9b7398022f9eebe547878033264f81f,3126a2f98beaec5a554a1fb31c46db1e8542665e)`	affected	code_commit	—
`[c62c0a17f9b7398022f9eebe547878033264f81f,74ab1456eaa3b2eb986138f9e1f4cb37e73b6f58)`	affected	code_commit	—
`[c62c0a17f9b7398022f9eebe547878033264f81f,82aec772fca2223bc5774bd9af486fd95766e578)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.6`	affected	semver	—
`[0,6.6)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,7.0.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the netconsole null‑termination fix
Disable netconsole or restrict its network access if it is not required for system monitoring
Monitor kernel logs for KASAN or out‑of‑bounds error reports and apply additional kernel hardening to reduce exposure

Generated by OpenCVE AI on May 6, 2026 at 14:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3126a2f98beaec5a554a1fb31c46db1e8542665e
https://git.kernel.org/stable/c/74ab1456eaa3b2eb986138f9e1f4cb37e73b6f58
https://git.kernel.org/stable/c/82aec772fca2223bc5774bd9af486fd95766e578

History

Wed, 06 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netconsole: avoid OOB reads, msg is not nul-terminated msg passed to netconsole from the console subsystem is not guaranteed to be nul-terminated. Before recent commit 7eab73b18630 ("netconsole: convert to NBCON console infrastructure") the message would be placed in printk_shared_pbufs, a static global buffer, so KASAN had harder time catching OOB accesses. Now we see: printk: console [netcon_ext0] enabled BUG: KASAN: slab-out-of-bounds in string+0x1f7/0x240 Read of size 1 at addr ffff88813b6d4c00 by task pr/netcon_ext0/594 CPU: 65 UID: 0 PID: 594 Comm: pr/netcon_ext0 Not tainted 6.19.0-11754-g4246fd6547c9 Call Trace: kasan_report+0xe4/0x120 string+0x1f7/0x240 vsnprintf+0x655/0xba0 scnprintf+0xba/0x120 netconsole_write+0x3fe/0xa10 nbcon_emit_next_record+0x46e/0x860 nbcon_kthread_func+0x623/0x750 Allocated by task 1: nbcon_alloc+0x1ea/0x450 register_console+0x26b/0xe10 init_netconsole+0xbb0/0xda0 The buggy address belongs to the object at ffff88813b6d4000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 0 bytes to the right of allocated 3072-byte region [ffff88813b6d4000, ffff88813b6d4c00)
Title		netconsole: avoid OOB reads, msg is not nul-terminated
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3126a2f98beaec5a554a1fb31c46db1e8542665e https://git.kernel.org/stable/c/74ab1456eaa3b2eb986138f9e1f4cb37e73b6f58 https://git.kernel.org/stable/c/82aec772fca2223bc5774bd9af486fd95766e578

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:04.829Z

Updated: 2026-05-06T11:28:04.829Z

Reserved: 2026-05-01T14:12:55.992Z

Link: CVE-2026-43197

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:38.740

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43197

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T17:15:08Z

Weaknesses

CWE-119

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object