CVE-2026-43071

#!/bin/bash # PoC for CVE-2026-43071 # Description: Trigger OOB read by setting kernel boot parameter. # This requires access to kernel boot parameters (e.g., via GRUB). # 1. Add 'dhash_entries=1' to the kernel command line in /etc/default/grub # Example: GRUB_CMDLINE_LINUX_DEFAULT="quiet splash dhash_entries=1" # 2. Update grub # sudo update-grub # 3. Reboot the system # sudo reboot # Expected Result: Kernel panic/Oops during boot or filesystem operations due to invalid memory access in d_lookup.

{"cve": {"id": "CVE-2026-43071", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-05T16:16:16.420", "lastModified": "2026-05-08T13:16:37.870", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndcache: Limit the minimal number of bucket to two\n\nThere is an OOB read problem on dentry_hashtable when user sets\n'dhash_entries=1':\n BUG: unable to handle page fault for address: ffff888b30b774b0\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n Oops: Oops: 0000 [#1] SMP PTI\n RIP: 0010:__d_lookup+0x56/0x120\n Call Trace:\n d_lookup.cold+0x16/0x5d\n lookup_dcache+0x27/0xf0\n lookup_one_qstr_excl+0x2a/0x180\n start_dirop+0x55/0xa0\n simple_start_creating+0x8d/0xa0\n debugfs_start_creating+0x8c/0x180\n debugfs_create_dir+0x1d/0x1c0\n pinctrl_init+0x6d/0x140\n do_one_initcall+0x6d/0x3d0\n kernel_init_freeable+0x39f/0x460\n kernel_init+0x2a/0x260\n\nThere will be only one bucket in dentry_hashtable when dhash_entries is\nset as one, and d_hash_shift is calculated as 32 by dcache_init(). Then,\nfollowing process will access more than one buckets(which memory region\nis not allocated) in dentry_hashtable:\n d_lookup\n b = d_hash(hash)\n dentry_hashtable + ((u32)hashlen >> d_hash_shift)\n // The C standard defines the behavior of right shift amounts\n // exceeding the bit width of the operand as undefined. The\n // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',\n // so 'b' will point to an unallocated memory region.\n hlist_bl_for_each_entry_rcu(b)\n hlist_bl_first_rcu(head)\n h->first // read OOB!\n\nFix it by limiting the minimal number of dentry_hashtable bucket to two,\nso that 'd_hash_shift' won't exceeds the bit width of type u32."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "references": [{"url": "https://git.kernel.org/stable/c/277cedabb0ab86baae83fa58218be13c6d3e5526", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/426ef05e82ee52c8d0e95fc0808b7383d8352d73", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5718df131ab78897a9dd1f2e71c3ba732d4392af", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/755b40903eff563768d4d96fd4ef51ec48adde3b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ddd57ebce245f9c7e2f6902a6c087d6186d2385d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f08fe8891c3eeb63b73f9f1f6d97aa629c821579", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}