CVE-2026-43272 - Vulnerability Details

- ring-buffer: Fix possible dereference of uninitialized pointer

Description

In the Linux kernel, the following vulnerability has been resolved:

ring-buffer: Fix possible dereference of uninitialized pointer

There is a pointer head_page in rb_meta_validate_events() which is not
initialized at the beginning of a function. This pointer can be dereferenced
if there is a failure during reader page validation. In this case the control
is passed to "invalid" label where the pointer is dereferenced in a loop.

To fix the issue initialize orig_head and head_page before calling
rb_validate_buffer.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Published: 2026-05-06

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s ring‑buffer subsystem can dereference an uninitialized pointer when a failure occurs during reader page validation. The head_page pointer is not set at the beginning of rb_meta_validate_events() and is later dereferenced in a loop after a jump to an error handling label, potentially causing a kernel crash or a denial of service. This flaw is a classic example of a null or uninitialized pointer dereference that can destabilize the system.

Affected Systems

Any system running a Linux kernel that contains the ring‑buffer code compiled without the recent fix. No specific kernel releases are listed, so the vulnerability may exist in a wide range of versions until the patch is applied. Linux distributions that ship the kernel version affected by this change are at risk.

Risk and Exploitability

The EPSS score is less than 1%, and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed exploitation in the wild. The CVSS score is 5.5, indicating moderate severity. Nonetheless, the flaw can be exploited by locally running code that triggers the failing reader page validation, leading to kernel panic. Given the lack of a public exploit and the severity of a kernel crash, the risk remains moderate for affected systems but the likelihood of widespread exploitation is considered low pending discovery of a remote exploit vector.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55`	affected	< bc77986f3cb7476637052edf2d87137fa39f153d
`5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55`	affected	< d9942396845fef2369478c157b26738fe07142f6
`5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55`	affected	< f1547779402c4cd67755c33616b7203baa88420b

Linux

affected

Version	Status	Constraints
`6.12`	affected	—
`0`	unaffected	< 6.12
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55,bc77986f3cb7476637052edf2d87137fa39f153d)`	affected	code_commit	—
`[5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55,d9942396845fef2369478c157b26738fe07142f6)`	affected	code_commit	—
`[5f3b6e839f3ceb8d6ef02231ba9b5aca71b8bf55,f1547779402c4cd67755c33616b7203baa88420b)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.12`	affected	generic	—
`[0,6.12)`	unaffected	semver	—
`[6.18.16,6.18.*]`	unaffected	generic	—
`[6.19.6,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that incorporates the patch from commit bc77986f3cb7476637052edf2d87137fa39f153d, d9942396845fef2369478c157b26738fe07142f6, or f1547779402c4cd67755c33616b7203baa88420b.
Reboot the system after upgrading the kernel to ensure the new kernel is in use.
If a custom kernel or manually compiled kernel is in use, recompile it with the updated source to include the same patch fixes.
Monitor kernel logs for ring-buffer related errors (e.g., "Kernel BUG in rb_meta_validate_events") to confirm the issue has been resolved.

Generated by OpenCVE AI on May 8, 2026 at 21:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/bc77986f3cb7476637052edf2d87137fa39f153d
https://git.kernel.org/stable/c/d9942396845fef2369478c157b26738fe07142f6
https://git.kernel.org/stable/c/f1547779402c4cd67755c33616b7203baa88420b
https://lore.kernel.org/linux-cve-announce/2026050611-CVE-2026-43272-da4b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43272
https://www.cve.org/CVERecord?id=CVE-2026-43272

History

Fri, 08 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 07 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-476

Thu, 07 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-824
References		https://lore.kernel.org/linux-cve-announce/2026050611-CVE-2026-43272-da4b@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43272 https://www.cve.org/CVERecord?id=CVE-2026-43272
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 06 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix possible dereference of uninitialized pointer There is a pointer head_page in rb_meta_validate_events() which is not initialized at the beginning of a function. This pointer can be dereferenced if there is a failure during reader page validation. In this case the control is passed to "invalid" label where the pointer is dereferenced in a loop. To fix the issue initialize orig_head and head_page before calling rb_validate_buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE.
Title		ring-buffer: Fix possible dereference of uninitialized pointer
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/bc77986f3cb7476637052edf2d87137fa39f153d https://git.kernel.org/stable/c/d9942396845fef2369478c157b26738fe07142f6 https://git.kernel.org/stable/c/f1547779402c4cd67755c33616b7203baa88420b

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:56.162Z

Updated: 2026-05-11T22:21:21.003Z

Reserved: 2026-05-01T14:12:55.998Z

Link: CVE-2026-43272

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:48.433

Modified: 2026-05-08T20:00:37.403

Link: CVE-2026-43272

Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43272 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-08T21:45:19Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object