Description
In the Linux kernel, the following vulnerability has been resolved:

e1000/e1000e: Fix leak in DMA error cleanup

If an error is encountered while mapping TX buffers, the driver should
unmap any buffers already mapped for that skb.

Because count is incremented after a successful mapping, it will always
match the correct number of unmappings needed when dma_error is reached.
Decrementing count before the while loop in dma_error causes an
off-by-one error. If any mapping was successful before an unsuccessful
mapping, exactly one DMA mapping would leak.

In these commits, a faulty while condition caused an infinite loop in
dma_error:
Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000e
driver")
Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver")

Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of
unsigned in *_tx_map()") fixed the infinite loop, but introduced the
off-by-one error.

This issue may still exist in the igbvf driver, but I did not address it
in this patch.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An off‑by‑one error in the DMA error cleanup path of the e1000/e1000e network driver causes a single DMA mapping to remain allocated when a TX buffer mapping fails. The incorrect decrement of the mapping counter before unmapping prevents that buffer from being freed and creates a kernel‑mode memory leak that can exhaust DMA resources over time.

Affected Systems

Linux kernels that have not incorporated the patch commits that fixed the checksum error in the e1000/e1000e drivers are affected. Any system with an Intel 8254x‑based network adapter identified by the e1000 or e1000e driver module is at risk if that module is loaded in kernel space.

Risk and Exploitability

The vulnerability is scored moderate at 5.5 on CVSS and has an EPSS below 1 %, and it is not listed in CISA KEV. The driver operates in kernel space, so an attacker would need local access or higher privileges to trigger the erroneous buffer mappings, although the description does not specify the exact privilege requirement. Repeated exploitation could deplete DMA resources, leading to degraded performance or a denial‑of‑service for network traffic. In environments using the vulnerable driver, the risk remains moderate.

Generated by OpenCVE AI on May 9, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel update that includes the e1000/e1000e driver patches, such as the commits cited in the advisory.
  • If an immediate kernel upgrade is not possible, blacklist the e1000 and e1000e modules or switch to an alternative NIC driver (e.g., igb or ixgbe).
  • Watch kernel logs for repeated DMA error messages or increased unmapped buffer counts to detect potential leaks.

Generated by OpenCVE AI on May 9, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-775

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-193
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-775

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: e1000/e1000e: Fix leak in DMA error cleanup If an error is encountered while mapping TX buffers, the driver should unmap any buffers already mapped for that skb. Because count is incremented after a successful mapping, it will always match the correct number of unmappings needed when dma_error is reached. Decrementing count before the while loop in dma_error causes an off-by-one error. If any mapping was successful before an unsuccessful mapping, exactly one DMA mapping would leak. In these commits, a faulty while condition caused an infinite loop in dma_error: Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000e driver") Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver") Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()") fixed the infinite loop, but introduced the off-by-one error. This issue may still exist in the igbvf driver, but I did not address it in this patch.
Title e1000/e1000e: Fix leak in DMA error cleanup
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:22:12.660Z

Reserved: 2026-05-01T14:12:56.010Z

Link: CVE-2026-43445

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:56.983

Modified: 2026-05-08T15:16:56.983

Link: CVE-2026-43445

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43445 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T17:00:06Z

Weaknesses