Description
In the Linux kernel, the following vulnerability has been resolved:

x86/kexec: add a sanity check on previous kernel's ima kexec buffer

When the second-stage kernel is booted via kexec with a limiting command
line such as "mem=<size>", the physical range that contains the carried
over IMA measurement list may fall outside the truncated RAM leading to a
kernel panic.

BUG: unable to handle page fault for address: ffff97793ff47000
RIP: ima_restore_measurement_list+0xdc/0x45a
#PF: error_code(0x0000) – not-present page

Other architectures already validate the range with page_is_ram(), as done
in commit cbf9c4b9617b ("of: check previous kernel's ima-kexec-buffer
against memory bounds") do a similar check on x86.

Without carrying the measurement list across kexec, the attestation
would fail.
Published: 2026-05-06
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel panics when a second‑stage kernel is booted with a limited memory size via kexec. The IMA measurement list from the previous kernel is carried into the new kernel, but the physical memory range it occupies may fall outside the truncated RAM. Because the x86 kernel lacked a sanity check, the kernel attempts to restore the list from memory that no longer exists, resulting in a page fault and a kernel panic. This flaw represents improper input validation and out‑of‑bounds memory access causing a loss of availability. Based on the description, it is inferred that an attacker could forcibly bring the system down.

Affected Systems

All x86 editions of the Linux kernel that use kexec and have IMA enabled without the patch are affected. No specific version numbers are supplied, so any release emitted before the inclusion of the sanity‑check commit should be considered vulnerable. The affected product is the Linux kernel running on Intel or AMD processors.

Risk and Exploitability

The vulnerability has a CVSS score of 5.5, indicating moderate severity. A kernel panic disables the operating system and requires a reboot. EPSS is unavailable and the flaw is not listed in the CISA KEV catalog. It appears to be triggerable by a local attacker with kexec privileges, or by an entity that can reboot the system with a memory limit. Given the impact on availability, the risk is significant even without confirmed exploitation evidence.

Generated by OpenCVE AI on May 7, 2026 at 05:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the commit adding a sanity check for the IMA kexec buffer (for example, pull the latest stable release that incorporates the patch).
  • If a kernel update is not feasible, disable the IMA kexec buffer carry‑over feature or remove the mem=<size> parameter from all kexec invocations to prevent the out‑of‑bounds memory access.
  • As a temporary safeguard, avoid using kexec with a memory limit until a patched kernel is in place. If IMA is not required for your environment, consider disabling IMA entirely to eliminate the vulnerable code path.

Generated by OpenCVE AI on May 7, 2026 at 05:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: x86/kexec: add a sanity check on previous kernel's ima kexec buffer When the second-stage kernel is booted via kexec with a limiting command line such as "mem=<size>", the physical range that contains the carried over IMA measurement list may fall outside the truncated RAM leading to a kernel panic. BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) – not-present page Other architectures already validate the range with page_is_ram(), as done in commit cbf9c4b9617b ("of: check previous kernel's ima-kexec-buffer against memory bounds") do a similar check on x86. Without carrying the measurement list across kexec, the attestation would fail.
Title x86/kexec: add a sanity check on previous kernel's ima kexec buffer
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:28:34.269Z

Reserved: 2026-05-01T14:12:55.995Z

Link: CVE-2026-43240

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:44.330

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43240

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43240 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T05:45:06Z

Weaknesses