CVE-2026-43473 - Vulnerability Details

- scsi: mpi3mr: Add NULL checks when resetting request and reply queues

Description

In the Linux kernel, the following vulnerability has been resolved:

scsi: mpi3mr: Add NULL checks when resetting request and reply queues

The driver encountered a crash during resource cleanup when the reply and
request queues were NULL due to freed memory. This issue occurred when the
creation of reply or request queues failed, and the driver freed the memory
first, but attempted to mem set the content of the freed memory, leading to
a system crash.

Add NULL pointer checks for reply and request queues before accessing the
reply/request memory during cleanup

Published: 2026-05-08

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The mpi3mr SCSI driver in the Linux kernel suffered from a null pointer dereference and memory corruption (CWE-476, CWE-825) condition during resource cleanup. When a reply or request queue could not be created, the driver freed the memory and later attempted to clear it with a memory set operation, causing a system crash. This flaw allowed a local attacker to trigger a denial‑of‑service by forcing a queue allocation failure during SCSI device removal.

Affected Systems

All Linux kernel releases that compile the legacy mpi3mr driver and lack the added null‑check patch may be affected. No specific kernel version range was provided, so the issue could exist in any kernel revision prior to the upstream patch that introduced the guard.

Risk and Exploitability

Because the bug leads to an unhandled kernel crash, the primary impact is a denial‑of‑service. The flaw is local; based on the description, it is inferred that an attacker must be able to trigger a queue allocation failure, for example by interacting with a malicious SCSI device or through local privilege. The CVSS score is 5.5, indicating a medium severity. The EPSS score is < 1%, indicating a very low likelihood of exploitation. The vulnerability is not listed in CISA KEV, but the deterministic crash behavior and lack of safeguards make it a serious issue.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`fe6db615156573d3f6a37564b8a590cb03bbaf25`	affected	< 7df0296ad4e9253d12c6dbe7f120044dddc95600
`fe6db615156573d3f6a37564b8a590cb03bbaf25`	affected	< 7da755e0d02e9ca035065127e108d1fed8950dc8
`fe6db615156573d3f6a37564b8a590cb03bbaf25`	affected	< 78d3f201f8b609928eade53cf03a52df5415aaf7
`fe6db615156573d3f6a37564b8a590cb03bbaf25`	affected	< e978a36f332ede78eb4de037b517db16265d420d
`fe6db615156573d3f6a37564b8a590cb03bbaf25`	affected	< 220d7ca70611a73d50ef8e9edac630ed1ececb7c
`fe6db615156573d3f6a37564b8a590cb03bbaf25`	affected	< fa96392ebebc8fade2b878acb14cce0f71016503

Linux

affected

Version	Status	Constraints
`5.17`	affected	—
`0`	unaffected	< 5.17
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f8e833572a3e12a2a1ffe7b3646af024264d38ca)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,7df0296ad4e9253d12c6dbe7f120044dddc95600)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,7da755e0d02e9ca035065127e108d1fed8950dc8)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,78d3f201f8b609928eade53cf03a52df5415aaf7)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,e978a36f332ede78eb4de037b517db16265d420d)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,220d7ca70611a73d50ef8e9edac630ed1ececb7c)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,fa96392ebebc8fade2b878acb14cce0f71016503)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that contains the mpi3mr null‑check patch
Rebuild and install the updated kernel image on all affected hosts
Restart the system to load the patched driver

Generated by OpenCVE AI on May 21, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/220d7ca70611a73d50ef8e9edac630ed1ececb7c
https://git.kernel.org/stable/c/78d3f201f8b609928eade53cf03a52df5415aaf7
https://git.kernel.org/stable/c/7da755e0d02e9ca035065127e108d1fed8950dc8
https://git.kernel.org/stable/c/7df0296ad4e9253d12c6dbe7f120044dddc95600
https://git.kernel.org/stable/c/e978a36f332ede78eb4de037b517db16265d420d
https://git.kernel.org/stable/c/fa96392ebebc8fade2b878acb14cce0f71016503
https://lore.kernel.org/linux-cve-announce/2026050805-CVE-2026-43473-cae2@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43473
https://www.cve.org/CVERecord?id=CVE-2026-43473

History

Thu, 21 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Thu, 21 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::

Thu, 21 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Sat, 09 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026050805-CVE-2026-43473-cae2@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43473 https://www.cve.org/CVERecord?id=CVE-2026-43473
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Sat, 09 May 2026 06:30:00 +0000

Type	Values Removed	Values Added
References	https://git.kernel.org/stable/c/f8e833572a3e12a2a1ffe7b3646af024264d38ca

Fri, 08 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Add NULL checks when resetting request and reply queues The driver encountered a crash during resource cleanup when the reply and request queues were NULL due to freed memory. This issue occurred when the creation of reply or request queues failed, and the driver freed the memory first, but attempted to mem set the content of the freed memory, leading to a system crash. Add NULL pointer checks for reply and request queues before accessing the reply/request memory during cleanup
Title		scsi: mpi3mr: Add NULL checks when resetting request and reply queues
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/220d7ca70611a73d50ef8e9edac630ed1ececb7c https://git.kernel.org/stable/c/78d3f201f8b609928eade53cf03a52df5415aaf7 https://git.kernel.org/stable/c/7da755e0d02e9ca035065127e108d1fed8950dc8 https://git.kernel.org/stable/c/7df0296ad4e9253d12c6dbe7f120044dddc95600 https://git.kernel.org/stable/c/e978a36f332ede78eb4de037b517db16265d420d https://git.kernel.org/stable/c/f8e833572a3e12a2a1ffe7b3646af024264d38ca https://git.kernel.org/stable/c/fa96392ebebc8fade2b878acb14cce0f71016503

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:22:32.210Z

Updated: 2026-05-11T22:25:17.395Z

Reserved: 2026-05-01T14:12:56.011Z

Link: CVE-2026-43473

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-08T15:17:00.453

Modified: 2026-05-21T14:59:03.313

Link: CVE-2026-43473

Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43473 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-21T17:30:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object