CVE-2026-43210 - Vulnerability Details

- tracing: ring-buffer: Fix to check event length before using

Description

In the Linux kernel, the following vulnerability has been resolved:

tracing: ring-buffer: Fix to check event length before using

Check the event length before adding it for accessing next index in
rb_read_data_buffer(). Since this function is used for validating
possibly broken ring buffers, the length of the event could be broken.
In that case, the new event (e + len) can point a wrong address.
To avoid invalid memory access at boot, check whether the length of
each event is in the possible range before using it.

Published: 2026-05-06

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The kernel tracing ring‑buffer implementation fails to verify the length field before using it to compute a pointer into the ring buffer. This flaw can cause an out‑of‑bounds memory access when an event contains a malformed length, potentially leading to kernel memory corruption or system crash. Based on the description, a malicious input could trigger this behavior.

Affected Systems

All Linux kernel releases that include the vulnerable tracing implementation before the commit that introduces the length‑check are affected. The issue applies to the default tracing and ftrace subsystems across all major distributions.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity, while the EPSS score of <1% reflects a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog, implying no known live exploits. The flaw is local and requires an ability to influence kernel tracing, such as providing crafted events to the tracing subsystem. Inferred that exploitation would involve supplying an event with an invalid length to trigger the out‑of‑bounds access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55`	affected	< b4700c089a10f89de3a5149d57f8a58306458982
`5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55`	affected	< 5026010110a5ad2268d8c23e1e286ab7c736f7ac
`5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55`	affected	< 9eb80e54494ef1efef8a64bec4ffa672c9cf411e
`5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55`	affected	< 912b0ee248c529a4f45d1e7f568dc1adddbf2a4a

Linux

affected

Version	Status	Constraints
`6.12`	affected	—
`0`	unaffected	< 6.12
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55,b4700c089a10f89de3a5149d57f8a58306458982)`	affected	code_commit	—
`[5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55,5026010110a5ad2268d8c23e1e286ab7c736f7ac)`	affected	code_commit	—
`[5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55,9eb80e54494ef1efef8a64bec4ffa672c9cf411e)`	affected	code_commit	—
`[5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55,912b0ee248c529a4f45d1e7f568dc1adddbf2a4a)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.12`	affected	generic	—
`[0,6.12)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the ring‑buffer length‑check patch.
Disable the vulnerable tracing and ftrace subsystems by setting ftrace.enabled=0 or removing related modules if an updated kernel cannot be applied.
Monitor system logs for kernel panics or abnormal tracing activity to detect potential exploitation.

Generated by OpenCVE AI on May 11, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/5026010110a5ad2268d8c23e1e286ab7c736f7ac
https://git.kernel.org/stable/c/912b0ee248c529a4f45d1e7f568dc1adddbf2a4a
https://git.kernel.org/stable/c/9eb80e54494ef1efef8a64bec4ffa672c9cf411e
https://git.kernel.org/stable/c/b4700c089a10f89de3a5149d57f8a58306458982
https://lore.kernel.org/linux-cve-announce/2026050649-CVE-2026-43210-f4dd@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43210
https://www.cve.org/CVERecord?id=CVE-2026-43210

History

Mon, 11 May 2026 20:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 07 May 2026 04:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-119 CWE-787

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1284
References		https://lore.kernel.org/linux-cve-announce/2026050649-CVE-2026-43210-f4dd@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43210 https://www.cve.org/CVERecord?id=CVE-2026-43210
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 06 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-787

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: tracing: ring-buffer: Fix to check event length before using Check the event length before adding it for accessing next index in rb_read_data_buffer(). Since this function is used for validating possibly broken ring buffers, the length of the event could be broken. In that case, the new event (e + len) can point a wrong address. To avoid invalid memory access at boot, check whether the length of each event is in the possible range before using it.
Title		tracing: ring-buffer: Fix to check event length before using
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/5026010110a5ad2268d8c23e1e286ab7c736f7ac https://git.kernel.org/stable/c/912b0ee248c529a4f45d1e7f568dc1adddbf2a4a https://git.kernel.org/stable/c/9eb80e54494ef1efef8a64bec4ffa672c9cf411e https://git.kernel.org/stable/c/b4700c089a10f89de3a5149d57f8a58306458982

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:13.609Z

Updated: 2026-05-11T22:20:07.951Z

Reserved: 2026-05-01T14:12:55.993Z

Link: CVE-2026-43210

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:40.417

Modified: 2026-05-11T19:58:20.160

Link: CVE-2026-43210

Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43210 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-11T23:30:02Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object