CVE-2026-43274 - Vulnerability Details

- mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq()

Description

In the Linux kernel, the following vulnerability has been resolved:

mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq()

The cluster_cfg array is dynamically allocated to hold per-CPU
configuration structures, with its size based on the number of online
CPUs. Previously, this array was indexed using hartid, which may be
non-contiguous or exceed the bounds of the array, leading to
out-of-bounds access.
Switch to using cpuid as the index, as it is guaranteed to be within
the valid range provided by for_each_online_cpu().

Published: 2026-05-06

Score: 8.4 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel mailbox subsystem, the mchp‑ipc‑sbi driver used hartid to index a per‑CPU configuration array. Because hartid values are not guaranteed to be contiguous or limited to the number of online CPUs, the driver could access memory outside the bounds of the array. The patch replaces hartid with cpuid, which is guaranteed to be within the valid range provided by the online CPU enumeration. The flaw is an out‑of‑bounds memory corruption (CWE‑125, CWE‑1285) that could affect kernel memory integrity.

Affected Systems

Any Linux kernel containing the upstream mchp‑ipc‑sbi driver before the commit that switches to cpuid indexing is affected. The vulnerability applies to kernels that have not yet incorporated the patch. No specific version ranges are available; all supported kernels that still use the old implementation remain vulnerable.

Risk and Exploitability

The flaw is an out‑of‑bounds memory corruption (CWE‑125, CWE‑1285). The CVSS score of 8.4 indicates high severity, and the EPSS score of < 1% suggests low current exploitation probability. It is not listed in the CISA KEV catalog, indicating no confirmed exploits. The likely attack vector is local: an attacker would need to trigger the mailbox function on a system with the vulnerable driver. Because the vulnerability can affect kernel memory, the risk is considered high for affected systems.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e4b1d67e71419c4af581890ecea84b04920d4116`	affected	< 95438699c92947155823dcd3918049a07f3cd867
`e4b1d67e71419c4af581890ecea84b04920d4116`	affected	< 0442b6229e2eedc95a6d3d18ce75dec7f5b5377c
`e4b1d67e71419c4af581890ecea84b04920d4116`	affected	< f7c330a8c83c9b0332fd524097eaf3e69148164d

Linux

affected

Version	Status	Constraints
`6.14`	affected	—
`0`	unaffected	< 6.14
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,95438699c92947155823dcd3918049a07f3cd867)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,0442b6229e2eedc95a6d3d18ce75dec7f5b5377c)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f7c330a8c83c9b0332fd524097eaf3e69148164d)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a release that contains the mchp‑ipc‑sbi patch
Apply any distribution‑specific security updates that incorporate the kernel fix
If required, cherry‑pick the relevant commit(s) from the upstream kernel repository and rebuild the kernel to include the fix

Generated by OpenCVE AI on May 8, 2026 at 20:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0442b6229e2eedc95a6d3d18ce75dec7f5b5377c
https://git.kernel.org/stable/c/95438699c92947155823dcd3918049a07f3cd867
https://git.kernel.org/stable/c/f7c330a8c83c9b0332fd524097eaf3e69148164d
https://lore.kernel.org/linux-cve-announce/2026050611-CVE-2026-43274-7e15@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43274
https://www.cve.org/CVERecord?id=CVE-2026-43274

History

Fri, 08 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125

Fri, 08 May 2026 13:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 07 May 2026 03:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-788

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1285
References		https://lore.kernel.org/linux-cve-announce/2026050611-CVE-2026-43274-7e15@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43274 https://www.cve.org/CVERecord?id=CVE-2026-43274

Wed, 06 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-788

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq() The cluster_cfg array is dynamically allocated to hold per-CPU configuration structures, with its size based on the number of online CPUs. Previously, this array was indexed using hartid, which may be non-contiguous or exceed the bounds of the array, leading to out-of-bounds access. Switch to using cpuid as the index, as it is guaranteed to be within the valid range provided by for_each_online_cpu().
Title		mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0442b6229e2eedc95a6d3d18ce75dec7f5b5377c https://git.kernel.org/stable/c/95438699c92947155823dcd3918049a07f3cd867 https://git.kernel.org/stable/c/f7c330a8c83c9b0332fd524097eaf3e69148164d

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:57.503Z

Updated: 2026-05-11T22:21:23.317Z

Reserved: 2026-05-01T14:12:55.998Z

Link: CVE-2026-43274

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:48.680

Modified: 2026-05-08T19:31:52.370

Link: CVE-2026-43274

Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43274 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-08T21:00:10Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object