CVE-2026-45851 - Vulnerability Details

- efi: Fix reservation of unaccepted memory table

Description

In the Linux kernel, the following vulnerability has been resolved:

efi: Fix reservation of unaccepted memory table

The reserve_unaccepted() function incorrectly calculates the size of the
memblock reservation for the unaccepted memory table. It aligns the
size of the table, but fails to account for cases where the table's
starting physical address (efi.unaccepted) is not page-aligned.

If the table starts at an offset within a page and its end crosses into
a subsequent page that the aligned size does not cover, the end of the
table will not be reserved. This can lead to the table being overwritten
or inaccessible, causing a kernel panic in accept_memory().

This issue was observed when starting Intel TDX VMs with specific memory
sizes (e.g., > 64GB).

Fix this by calculating the end address first (including the unaligned
start) and then aligning it up, ensuring the entire range is covered
by the reservation.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s EFI subsystem contains a defect in the reserve_unaccepted() function that miscalculates the size of the memory reservation for unaccepted memory tables. When the table’s starting physical address is not page-aligned, the function aligns the size but fails to account for the portion of the table that crosses into a subsequent page, leaving that region unreserved. This can result in the table being overwritten or inaccessible, which leads to a kernel panic during the accept_memory() phase, effectively denying service to the system.

Affected Systems

All Linux kernel releases that have not incorporated the reserve_unaccepted() fix are vulnerable. No specific version range is enumerated in the advisory, so any kernel that invokes this code path before the patch is at risk.

Risk and Exploitability

The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, indicating that there are no publicly known exploits and the exploitation probability has not been quantified. The likely attack vector is local or privileged: it can be triggered during boot or by manipulating EFI memory configurations, such as when an Intel TDX virtual machine allocates memory greater than 64 GB. This inference is based on the description that the issue is observed when starting VMs with specific memory sizes and that the fault occurs during the acceptance of EFI memory tables.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`8dbe33956d96c9d066ef15ca933ede30748198b2`	affected	< b7bc182ec1846be437351e44164089d988f9d0dd
`8dbe33956d96c9d066ef15ca933ede30748198b2`	affected	< ba6b6f1502fa55621d1db23f253d54322bdbe4e0
`8dbe33956d96c9d066ef15ca933ede30748198b2`	affected	< 9b18bf59977f5c5bc3b11b210520f62500a7adf3
`8dbe33956d96c9d066ef15ca933ede30748198b2`	affected	< e649b5916725c68f44ebf45fb396df563c5dbaf2
`8dbe33956d96c9d066ef15ca933ede30748198b2`	affected	< 0862438c90487e79822d5647f854977d50381505

Linux

affected

Version	Status	Constraints
`6.6`	affected	—
`0`	unaffected	< 6.6
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[8dbe33956d96c9d066ef15ca933ede30748198b2,b7bc182ec1846be437351e44164089d988f9d0dd)`	affected	code_commit	—
`[8dbe33956d96c9d066ef15ca933ede30748198b2,ba6b6f1502fa55621d1db23f253d54322bdbe4e0)`	affected	code_commit	—
`[8dbe33956d96c9d066ef15ca933ede30748198b2,9b18bf59977f5c5bc3b11b210520f62500a7adf3)`	affected	code_commit	—
`[8dbe33956d96c9d066ef15ca933ede30748198b2,e649b5916725c68f44ebf45fb396df563c5dbaf2)`	affected	code_commit	—
`[8dbe33956d96c9d066ef15ca933ede30748198b2,0862438c90487e79822d5647f854977d50381505)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.6`	affected	generic	—
`[0,6.6)`	unaffected	semver	—
`[6.6.128,6.7.0]`	unaffected	semver	—
`[6.12.75,6.13.0]`	unaffected	semver	—
`[6.18.14,6.19.0]`	unaffected	semver	—
`[6.19.4,6.20.0]`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that contains the reserve_unaccepted() correction.
If an immediate update is not feasible, limit virtual machine memory to 64 GB or ensure that EFI memory tables are aligned to page boundaries to prevent the unaligned scenario.
For custom kernel builds, apply the upstream commit that aligns the end address before rounding up.

Generated by OpenCVE AI on May 27, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0862438c90487e79822d5647f854977d50381505
https://git.kernel.org/stable/c/9b18bf59977f5c5bc3b11b210520f62500a7adf3
https://git.kernel.org/stable/c/b7bc182ec1846be437351e44164089d988f9d0dd
https://git.kernel.org/stable/c/ba6b6f1502fa55621d1db23f253d54322bdbe4e0
https://git.kernel.org/stable/c/e649b5916725c68f44ebf45fb396df563c5dbaf2

History

Wed, 27 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-122

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: efi: Fix reservation of unaccepted memory table The reserve_unaccepted() function incorrectly calculates the size of the memblock reservation for the unaccepted memory table. It aligns the size of the table, but fails to account for cases where the table's starting physical address (efi.unaccepted) is not page-aligned. If the table starts at an offset within a page and its end crosses into a subsequent page that the aligned size does not cover, the end of the table will not be reserved. This can lead to the table being overwritten or inaccessible, causing a kernel panic in accept_memory(). This issue was observed when starting Intel TDX VMs with specific memory sizes (e.g., > 64GB). Fix this by calculating the end address first (including the unaligned start) and then aligning it up, ensuring the entire range is covered by the reservation.
Title		efi: Fix reservation of unaccepted memory table
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0862438c90487e79822d5647f854977d50381505 https://git.kernel.org/stable/c/9b18bf59977f5c5bc3b11b210520f62500a7adf3 https://git.kernel.org/stable/c/b7bc182ec1846be437351e44164089d988f9d0dd https://git.kernel.org/stable/c/ba6b6f1502fa55621d1db23f253d54322bdbe4e0 https://git.kernel.org/stable/c/e649b5916725c68f44ebf45fb396df563c5dbaf2

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:15:23.221Z

Updated: 2026-05-27T12:15:23.221Z

Reserved: 2026-05-13T15:03:33.079Z

Link: CVE-2026-45851

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:57.077

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45851

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T19:15:26Z

Weaknesses

CWE-122

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object