CVE-2026-43266 - Vulnerability Details

- EFI/CPER: don't go past the ARM processor CPER record buffer

Description

In the Linux kernel, the following vulnerability has been resolved:

EFI/CPER: don't go past the ARM processor CPER record buffer

There's a logic inside GHES/CPER to detect if the section_length
is too small, but it doesn't detect if it is too big.

Currently, if the firmware receives an ARM processor CPER record
stating that a section length is big, kernel will blindly trust
section_length, producing a very long dump. For instance, a 67
bytes record with ERR_INFO_NUM set 46198 and section length
set to 854918320 would dump a lot of data going a way past the
firmware memory-mapped area.

Fix it by adding a logic to prevent it to go past the buffer
if ERR_INFO_NUM is too big, making it report instead:

[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1
[Hardware Error]: event severity: recoverable
[Hardware Error]: Error 0, type: recoverable
[Hardware Error]: section_type: ARM processor error
[Hardware Error]: MIDR: 0xff304b2f8476870a
[Hardware Error]: section length: 854918320, CPER size: 67
[Hardware Error]: section length is too big
[Hardware Error]: firmware-generated error record is incorrect
[Hardware Error]: ERR_INFO_NUM is 46198

[ rjw: Subject and changelog tweaks ]

Published: 2026-05-06

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s CPER handling for ARM processors trusts the section_length field of firmware‑supplied CPER records without fully validating the value, and if a record advertises a very large section length the kernel blindly reads beyond the end of the firmware memory region. This buffer over‑read can expose large amounts of kernel memory that may contain sensitive data, representing a significant information‑disclosure risk and corresponds to CWE‑130: Buffer Overread.

Affected Systems

The flaw exists in any Linux kernel configured with CPER support for ARM processors. All ARM‑based Linux systems that process CPER records from firmware and have not yet incorporated the patch are vulnerable.

Risk and Exploitability

The likely attack vector is firmware‑level manipulation. This inference is based on the requirement that a firmware or firmware‑loader supply a malicious CPER record, which means the kernel cannot be exploited remotely. Because no public proof‑of‑concept exists and the attack surface is limited to systems running untrusted or custom firmware, the risk is moderate. The EPSS score is < 1%, and the CVSS score is 5.5, indicating moderate severity; the vulnerability is not listed in CISA KEV.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`2f74f09bce4f8d0236f20174a6daae63e10fe733`	affected	< c80113dcfc807308f5ab33847fae77e07531aeb8
`2f74f09bce4f8d0236f20174a6daae63e10fe733`	affected	< ca2aad8771aa9091bc9e42e7d546bd40b72ddcd4
`2f74f09bce4f8d0236f20174a6daae63e10fe733`	affected	< a68d22902a6916e10ee235fee609239004e129d0
`2f74f09bce4f8d0236f20174a6daae63e10fe733`	affected	< 64eb63f573f497553e1a0c388bbcdd639e0f0704
`2f74f09bce4f8d0236f20174a6daae63e10fe733`	affected	< be10c1bdf64a39832998f54900aa309b3917abcf
`2f74f09bce4f8d0236f20174a6daae63e10fe733`	affected	< 25b290624b0e3d2f0f90238709ee0b6009b9fde8
`2f74f09bce4f8d0236f20174a6daae63e10fe733`	affected	< 45766863baf899059e75595dd3cb1116467f2095
`2f74f09bce4f8d0236f20174a6daae63e10fe733`	affected	< eae21beecb95a3b69ee5c38a659f774e171d730e

Linux

affected

Version	Status	Constraints
`4.13`	affected	—
`0`	unaffected	< 4.13
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,c80113dcfc807308f5ab33847fae77e07531aeb8)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ca2aad8771aa9091bc9e42e7d546bd40b72ddcd4)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,a68d22902a6916e10ee235fee609239004e129d0)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,64eb63f573f497553e1a0c388bbcdd639e0f0704)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,be10c1bdf64a39832998f54900aa309b3917abcf)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,25b290624b0e3d2f0f90238709ee0b6009b9fde8)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,45766863baf899059e75595dd3cb1116467f2095)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,eae21beecb95a3b69ee5c38a659f774e171d730e)`	affected	code_commit	—

Linux

Kernel

99%

Version	Status	Scheme	Platform
`[5.10.252,5.11.0)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the CPER section‑length validation patch and reboot the system so the updated kernel can handle CPER records correctly.
Verify that firmware updates are signed and come from trusted sources to reduce the chance of a malicious CPER record reaching the kernel.
If the patch is unavailable or cannot be applied immediately, reconfigure the kernel to disable ARM CPER support (clear CONFIG_ARM_CP_ERR) so the kernel no longer parses ARM‑specific CPER records.

Generated by OpenCVE AI on May 8, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4606-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/25b290624b0e3d2f0f90238709ee0b6009b9fde8
https://git.kernel.org/stable/c/45766863baf899059e75595dd3cb1116467f2095
https://git.kernel.org/stable/c/64eb63f573f497553e1a0c388bbcdd639e0f0704
https://git.kernel.org/stable/c/a68d22902a6916e10ee235fee609239004e129d0
https://git.kernel.org/stable/c/be10c1bdf64a39832998f54900aa309b3917abcf
https://git.kernel.org/stable/c/c80113dcfc807308f5ab33847fae77e07531aeb8
https://git.kernel.org/stable/c/ca2aad8771aa9091bc9e42e7d546bd40b72ddcd4
https://git.kernel.org/stable/c/eae21beecb95a3b69ee5c38a659f774e171d730e
https://lore.kernel.org/linux-cve-announce/2026050608-CVE-2026-43266-506d@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43266
https://www.cve.org/CVERecord?id=CVE-2026-43266

History

Fri, 08 May 2026 21:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 07 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-126 CWE-200

Thu, 07 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-130
References		https://lore.kernel.org/linux-cve-announce/2026050608-CVE-2026-43266-506d@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43266 https://www.cve.org/CVERecord?id=CVE-2026-43266
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 06 May 2026 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux kernel
Vendors & Products		Linux kernel

Wed, 06 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-126 CWE-200

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: EFI/CPER: don't go past the ARM processor CPER record buffer There's a logic inside GHES/CPER to detect if the section_length is too small, but it doesn't detect if it is too big. Currently, if the firmware receives an ARM processor CPER record stating that a section length is big, kernel will blindly trust section_length, producing a very long dump. For instance, a 67 bytes record with ERR_INFO_NUM set 46198 and section length set to 854918320 would dump a lot of data going a way past the firmware memory-mapped area. Fix it by adding a logic to prevent it to go past the buffer if ERR_INFO_NUM is too big, making it report instead: [Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1 [Hardware Error]: event severity: recoverable [Hardware Error]: Error 0, type: recoverable [Hardware Error]: section_type: ARM processor error [Hardware Error]: MIDR: 0xff304b2f8476870a [Hardware Error]: section length: 854918320, CPER size: 67 [Hardware Error]: section length is too big [Hardware Error]: firmware-generated error record is incorrect [Hardware Error]: ERR_INFO_NUM is 46198 [ rjw: Subject and changelog tweaks ]
Title		EFI/CPER: don't go past the ARM processor CPER record buffer
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/25b290624b0e3d2f0f90238709ee0b6009b9fde8 https://git.kernel.org/stable/c/45766863baf899059e75595dd3cb1116467f2095 https://git.kernel.org/stable/c/64eb63f573f497553e1a0c388bbcdd639e0f0704 https://git.kernel.org/stable/c/a68d22902a6916e10ee235fee609239004e129d0 https://git.kernel.org/stable/c/be10c1bdf64a39832998f54900aa309b3917abcf https://git.kernel.org/stable/c/c80113dcfc807308f5ab33847fae77e07531aeb8 https://git.kernel.org/stable/c/ca2aad8771aa9091bc9e42e7d546bd40b72ddcd4 https://git.kernel.org/stable/c/eae21beecb95a3b69ee5c38a659f774e171d730e

Subscriptions

Linux Kernel Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:52.238Z

Updated: 2026-05-11T22:21:14.159Z

Reserved: 2026-05-01T14:12:55.997Z

Link: CVE-2026-43266

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:47.647

Modified: 2026-05-08T20:46:52.477

Link: CVE-2026-43266

Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43266 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-08T22:45:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object