Description
In the Linux kernel, the following vulnerability has been resolved:

x86/kexec: Disable KCOV instrumentation after load_segments()

The load_segments() function changes segment registers, invalidating GS base
(which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, any
subsequent instrumented C code call (e.g. native_gdt_invalidate()) begins
crashing the kernel in an endless loop.

To reproduce the problem, it's sufficient to do kexec on a KCOV-instrumented
kernel:

$ kexec -l /boot/otherKernel
$ kexec -e

The real-world context for this problem is enabling crash dump collection in
syzkaller. For this, the tool loads a panic kernel before fuzzing and then
calls makedumpfile after the panic. This workflow requires both CONFIG_KEXEC
and CONFIG_KCOV to be enabled simultaneously.

Adding safeguards directly to the KCOV fast-path (__sanitizer_cov_trace_pc())
is also undesirable as it would introduce an extra performance overhead.

Disabling instrumentation for the individual functions would be too fragile,
so disable KCOV instrumentation for the entire machine_kexec_64.c and
physaddr.c. If coverage-guided fuzzing ever needs these components in the
future, other approaches should be considered.

The problem is not relevant for 32 bit kernels as CONFIG_KCOV is not supported
there.

[ bp: Space out comment for better readability. ]
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s kexec mechanism does not account for the register changes performed by load_segments() when the kernel is built with KCOV instrumentation support. The load_segments() function modifies the GS base register, which KCOV relies on for per‑CPU data. After this change, subsequent instrumented calls such as native_gdt_invalidate() crash the kernel and enter an endless loop. The NVD entry does not map this vulnerability to a specific CWE, but it can be exploited by executing kexec to load a KCOV‑instrumented kernel, leading to an immediate denial of service by rendering the system unresponsive.

Affected Systems

Linux kernel components that enable both CONFIG_KCOV and CONFIG_KEXEC (primarily 64‑bit builds) are affected. The flaw does not affect 32‑bit kernels because KCOV is not supported there. Affected versions explicitly include Linux kernel 7.0 release candidates rc1 through rc6 and, based on the description, it is inferred that any subsequent stable releases that also enable both options would be affected.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity. EPSS score is < 1% and the flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is local and requires the ability to run kexec commands. Once triggered, the kernel will repeatedly crash, requiring a reboot to recover, thereby disrupting availability for all services running on the affected machine.

Generated by OpenCVE AI on May 18, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch series that disables KCOV instrumentation in machine_kexec_64.c and physaddr.c (for example, the commits referenced at https://git.kernel.org/stable/c/1e3e98596c2769721ade0418434852fb3af4849a and its successors).
  • Rebuild and install the patched kernel so that the changes take effect.
  • If KCOV must remain enabled for other operations, temporarily disable KCOV or rebuild the kernel with CONFIG_KCOV disabled before performing a kexec operation.

Generated by OpenCVE AI on May 18, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-535

Mon, 18 May 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 16 May 2026 00:15:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-535

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: x86/kexec: Disable KCOV instrumentation after load_segments() The load_segments() function changes segment registers, invalidating GS base (which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, any subsequent instrumented C code call (e.g. native_gdt_invalidate()) begins crashing the kernel in an endless loop. To reproduce the problem, it's sufficient to do kexec on a KCOV-instrumented kernel: $ kexec -l /boot/otherKernel $ kexec -e The real-world context for this problem is enabling crash dump collection in syzkaller. For this, the tool loads a panic kernel before fuzzing and then calls makedumpfile after the panic. This workflow requires both CONFIG_KEXEC and CONFIG_KCOV to be enabled simultaneously. Adding safeguards directly to the KCOV fast-path (__sanitizer_cov_trace_pc()) is also undesirable as it would introduce an extra performance overhead. Disabling instrumentation for the individual functions would be too fragile, so disable KCOV instrumentation for the entire machine_kexec_64.c and physaddr.c. If coverage-guided fuzzing ever needs these components in the future, other approaches should be considered. The problem is not relevant for 32 bit kernels as CONFIG_KCOV is not supported there. [ bp: Space out comment for better readability. ]
Title x86/kexec: Disable KCOV instrumentation after load_segments()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:22:30.151Z

Reserved: 2026-05-01T14:12:56.002Z

Link: CVE-2026-43331

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T14:16:42.763

Modified: 2026-05-18T12:39:01.053

Link: CVE-2026-43331

cve-icon Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43331 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T16:30:05Z

Weaknesses