Description
In the Linux kernel, the following vulnerability has been resolved:

x86/kexec: Disable KCOV instrumentation after load_segments()

The load_segments() function changes segment registers, invalidating GS base
(which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, any
subsequent instrumented C code call (e.g. native_gdt_invalidate()) begins
crashing the kernel in an endless loop.

To reproduce the problem, it's sufficient to do kexec on a KCOV-instrumented
kernel:

$ kexec -l /boot/otherKernel
$ kexec -e

The real-world context for this problem is enabling crash dump collection in
syzkaller. For this, the tool loads a panic kernel before fuzzing and then
calls makedumpfile after the panic. This workflow requires both CONFIG_KEXEC
and CONFIG_KCOV to be enabled simultaneously.

Adding safeguards directly to the KCOV fast-path (__sanitizer_cov_trace_pc())
is also undesirable as it would introduce an extra performance overhead.

Disabling instrumentation for the individual functions would be too fragile,
so disable KCOV instrumentation for the entire machine_kexec_64.c and
physaddr.c. If coverage-guided fuzzing ever needs these components in the
future, other approaches should be considered.

The problem is not relevant for 32 bit kernels as CONFIG_KCOV is not supported
there.

[ bp: Space out comment for better readability. ]
Published: 2026-05-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s kexec mechanism does not account for the register changes performed by load_segments() when the kernel is built with KCOV instrumentation support. The load_segments() function modifies the GS base register, which KCOV relies on for per‑CPU data. After this change, subsequent instrumented calls such as native_gdt_invalidate() crash the kernel and enter an endless loop. An attacker can exploit this by executing kexec to load a KCOV‑instrumented kernel, leading to an immediate denial of service by rendering the system unresponsive.

Affected Systems

Linux kernel components that enable both CONFIG_KCOV and CONFIG_KEXEC (primarily 64‑bit builds). The flaw does not affect 32‑bit kernels because KCOV is not supported there.

Risk and Exploitability

The vulnerability is of high severity because any user with the capability to execute kexec—typically a privileged or root user—can trigger a kernel crash. EPSS information is not available, and the flaw is not listed in the CISA KEV catalog. The attack vector is local and requires the ability to run kexec commands. Once triggered, the kernel will repeatedly crash, requiring a reboot to recover, thereby disrupting availability for all services running on the affected machine.

Generated by OpenCVE AI on May 8, 2026 at 18:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch series that disables KCOV instrumentation in machine_kexec_64.c and physaddr.c (for example, the commits referenced at https://git.kernel.org/stable/c/1e3e98596c2769721ade0418434852fb3af4849a and its successors).
  • Rebuild and install the patched kernel so that the changes take effect.
  • If KCOV must remain enabled for other operations, temporarily disable KCOV or rebuild the kernel with CONFIG_KCOV disabled before performing a kexec operation.

Generated by OpenCVE AI on May 8, 2026 at 18:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-535

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: x86/kexec: Disable KCOV instrumentation after load_segments() The load_segments() function changes segment registers, invalidating GS base (which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, any subsequent instrumented C code call (e.g. native_gdt_invalidate()) begins crashing the kernel in an endless loop. To reproduce the problem, it's sufficient to do kexec on a KCOV-instrumented kernel: $ kexec -l /boot/otherKernel $ kexec -e The real-world context for this problem is enabling crash dump collection in syzkaller. For this, the tool loads a panic kernel before fuzzing and then calls makedumpfile after the panic. This workflow requires both CONFIG_KEXEC and CONFIG_KCOV to be enabled simultaneously. Adding safeguards directly to the KCOV fast-path (__sanitizer_cov_trace_pc()) is also undesirable as it would introduce an extra performance overhead. Disabling instrumentation for the individual functions would be too fragile, so disable KCOV instrumentation for the entire machine_kexec_64.c and physaddr.c. If coverage-guided fuzzing ever needs these components in the future, other approaches should be considered. The problem is not relevant for 32 bit kernels as CONFIG_KCOV is not supported there. [ bp: Space out comment for better readability. ]
Title x86/kexec: Disable KCOV instrumentation after load_segments()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T13:31:18.787Z

Reserved: 2026-05-01T14:12:56.002Z

Link: CVE-2026-43331

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T14:16:42.763

Modified: 2026-05-08T14:16:42.763

Link: CVE-2026-43331

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T22:00:14Z

Weaknesses