Description
In the Linux kernel, the following vulnerability has been resolved:

mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()

Although it is guided that `#mbox-cells` must be at least 1, there are
many instances of `#mbox-cells = <0>;` in the device tree. If that is
the case and the corresponding mailbox controller does not provide
`fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will
be used by default and out-of-bounds accesses could occur due to lack of
bounds check in that function.
Published: 2026-05-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the Linux kernel mailbox helper function fw_mbox_index_xlate, which performs an out‑of‑bounds memory access when a device tree declares #mbox‑cells as 0 and the mailbox controller does not provide fw_xlate or of_xlate callbacks. Without a bounds check, the function can read or write memory beyond the intended range, leading to kernel memory corruption. The CVE description does not state that this flaw can directly cause privilege escalation, but the corruption could compromise the integrity of the kernel.

Affected Systems

Any Linux kernel image that includes the mailbox subsystem and that loads a device tree containing a #mbox‑cells=0 entry is impacted. This covers many embedded and desktop distributions that compile the mailbox driver into the kernel, regardless of the specific distribution or kernel version, as long as the default fw_mbox_index_xlate routine is present.

Risk and Exploitability

The CVSS base score of 7.1 indicates high severity; the EPSS score of <1% points to a very low probability of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would likely require an attacker to modify firmware or the device tree that the kernel loads during boot, a condition that is inferred from the nature of the flaw. If such modification is possible, the out‑of‑bounds access could destabilize the kernel or be leveraged in indirect ways to affect system behaviour.

Generated by OpenCVE AI on May 8, 2026 at 20:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the CVE-2026-43281 fix.
  • Verify that all device trees or firmware images set #mbox‑cells to a positive integer and never to zero.
  • If the mailbox subsystem is not required, disable it via kernel boot parameters or by removing the module until a patched kernel is available.

Generated by OpenCVE AI on May 8, 2026 at 20:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:3.18:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.18:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.18:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.18:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.18:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.18:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.18:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Thu, 07 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 07 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate() Although it is guided that `#mbox-cells` must be at least 1, there are many instances of `#mbox-cells = <0>;` in the device tree. If that is the case and the corresponding mailbox controller does not provide `fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will be used by default and out-of-bounds accesses could occur due to lack of bounds check in that function.
Title mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:21:31.452Z

Reserved: 2026-05-01T14:12:55.998Z

Link: CVE-2026-43281

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:49.587

Modified: 2026-05-08T19:13:43.250

Link: CVE-2026-43281

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43281 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:00:10Z

Weaknesses