Description
In the Linux kernel, the following vulnerability has been resolved:

kexec: derive purgatory entry from symbol

kexec_load_purgatory() derives image->start by locating e_entry inside an
SHF_EXECINSTR section. If the purgatory object contains multiple
executable sections with overlapping sh_addr, the entrypoint check can
match more than once and trigger a WARN.

Derive the entry section from the purgatory_start symbol when present and
compute image->start from its final placement. Keep the existing e_entry
fallback for purgatories that do not expose the symbol.

WARNING: kernel/kexec_file.c:1009 at kexec_load_purgatory+0x395/0x3c0, CPU#10: kexec/1784
Call Trace:
<TASK>
bzImage64_load+0x133/0xa00
__do_sys_kexec_file_load+0x2b3/0x5c0
do_syscall_64+0x81/0x610
entry_SYSCALL_64_after_hwframe+0x76/0x7e

[me@linux.beauty: move helper to avoid forward declaration, per Baoquan]
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in kexec_load_purgatory, where the kernel calculates image->start by searching for e_entry inside any SHF_EXECINSTR section. If a purgatory binary contains multiple executable sections with overlapping addresses, this search can return more than one match and trigger a WARN. The patch adds a fallback that derives the entry from the purgatory_start symbol when present, avoiding the ambiguous lookup. The failure manifests only as a warning in current releases, though it indicates that the kernel could incorrectly select an entry point for a kexec operation.

Affected Systems

All Linux kernel builds that do not incorporate the commit that adds purgatory_start fallback are affected. This includes every kernel version released prior to the merge of commit 0277975 and any backports that have not applied this change. Vendor distribution does not impose further constraints beyond the kernel itself.

Risk and Exploitability

Exploitation requires the ability to load a custom kernel image, a capability normally limited to privileged users (root or processes with CAP_SYS_ADMIN and CAP_SYS_KEXEC). No public exploit is documented and the EPSS score is unavailable, suggesting remaining uncertainty about real‑world exploitation. The CVSS score of 5.5 indicates moderate severity, and the vulnerability is not listed in CISA’s KEV catalog. The impact, if realized, would be limited to the affected host and would not provide an attacker with additional privileges beyond those already required to load a kernel.

Generated by OpenCVE AI on May 9, 2026 at 04:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a revision that includes the purgatory_start fallback (committed in 0277975).
  • Restrict the use of kexec to trusted administrators and avoid exposing CAP_SYS_KEXEC to untrusted processes.
  • Monitor system logs for WARN entries from kexec_load_purgatory and defer non‑essential kexec operations until the patch is applied.

Generated by OpenCVE AI on May 9, 2026 at 04:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 05:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-398

Sat, 09 May 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-346

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 08 May 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-346

Fri, 08 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: kexec: derive purgatory entry from symbol kexec_load_purgatory() derives image->start by locating e_entry inside an SHF_EXECINSTR section. If the purgatory object contains multiple executable sections with overlapping sh_addr, the entrypoint check can match more than once and trigger a WARN. Derive the entry section from the purgatory_start symbol when present and compute image->start from its final placement. Keep the existing e_entry fallback for purgatories that do not expose the symbol. WARNING: kernel/kexec_file.c:1009 at kexec_load_purgatory+0x395/0x3c0, CPU#10: kexec/1784 Call Trace: <TASK> bzImage64_load+0x133/0xa00 __do_sys_kexec_file_load+0x2b3/0x5c0 do_syscall_64+0x81/0x610 entry_SYSCALL_64_after_hwframe+0x76/0x7e [me@linux.beauty: move helper to avoid forward declaration, per Baoquan]
Title kexec: derive purgatory entry from symbol
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T13:11:13.860Z

Reserved: 2026-05-01T14:12:55.999Z

Link: CVE-2026-43289

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T14:16:35.867

Modified: 2026-05-08T14:16:35.867

Link: CVE-2026-43289

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43289 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T05:00:10Z

Weaknesses