CVE-2026-43277

/* * PoC Concept for CVE-2026-43277 * This simulates the vulnerable logic in ghes_new() where the CPER record length * is not checked against the actual allocated memory size. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #define GHES_ESTATUS_MAX_SIZE 65536 // 64KB void simulate_vulnerability(size_t record_len, size_t allocated_size) { // Simulate allocation based on firmware table pages (could be smaller than requested) char *buffer = (char *)malloc(allocated_size); if (!buffer) { perror("malloc failed"); return; } printf("[+] Allocated buffer: %zu bytes\n", allocated_size); printf("[+] Malicious CPER record length: %zu bytes\n", record_len); // Check 1: Original code checks if record > MAX_SIZE (Passes here) if (record_len > GHES_ESTATUS_MAX_SIZE) { printf("[-] Record rejected: Exceeds GHES_ESTATUS_MAX_SIZE\n"); free(buffer); return; } // Vulnerability: Missing check for (record_len > allocated_size) // In the real kernel, accessing 'buffer' beyond 'allocated_size' causes a page fault. printf("[!] Attempting to access buffer beyond allocated size...\n"); // This loop simulates the kernel reading the record (e.g., in hex_dump_to_buffer) for (size_t i = 0; i < record_len; i++) { // Accessing memory outside the allocated block triggers the crash volatile char c = buffer[i]; if (i == allocated_size) { printf("[!!!] OOPS: Access violation at offset %zu (Boundary crossed!)\n", i); } } free(buffer); } int main() { // Scenario: Firmware allocates 1 page (4KB) but sends a 8KB record size_t alloc_size = 4096; size_t malicious_len = 8192; simulate_vulnerability(malicious_len, alloc_size); return 0; }

{"cve": {"id": "CVE-2026-43277", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:49.057", "lastModified": "2026-05-08T19:34:27.130", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nAPEI/GHES: ensure that won't go past CPER allocated record\n\nThe logic at ghes_new() prevents allocating too large records, by\nchecking if they're bigger than GHES_ESTATUS_MAX_SIZE (currently, 64KB).\nYet, the allocation is done with the actual number of pages from the\nCPER bios table location, which can be smaller.\n\nYet, a bad firmware could send data with a different size, which might\nbe bigger than the allocated memory, causing an OOPS:\n\n Unable to handle kernel paging request at virtual address fff00000f9b40000\n Mem abort info:\n ESR = 0x0000000096000007\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x07: level 3 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n swapper pgtable: 4k pages, 52-bit VAs, pgdp=000000008ba16000\n [fff00000f9b40000] pgd=180000013ffff403, p4d=180000013fffe403, pud=180000013f85b403, pmd=180000013f68d403, pte=0000000000000000\n Internal error: Oops: 0000000096000007 [#1] SMP\n Modules linked in:\n CPU: 0 UID: 0 PID: 303 Comm: kworker/0:1 Not tainted 6.19.0-rc1-00002-gda407d200220 #34 PREEMPT\n Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022\n Workqueue: kacpi_notify acpi_os_execute_deferred\n pstate: 214020c5 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n pc : hex_dump_to_buffer+0x30c/0x4a0\n lr : hex_dump_to_buffer+0x328/0x4a0\n sp : ffff800080e13880\n x29: ffff800080e13880 x28: ffffac9aba86f6a8 x27: 0000000000000083\n x26: fff00000f9b3fffc x25: 0000000000000004 x24: 0000000000000004\n x23: ffff800080e13905 x22: 0000000000000010 x21: 0000000000000083\n x20: 0000000000000001 x19: 0000000000000008 x18: 0000000000000010\n x17: 0000000000000001 x16: 00000007c7f20fec x15: 0000000000000020\n x14: 0000000000000008 x13: 0000000000081020 x12: 0000000000000008\n x11: ffff800080e13905 x10: ffff800080e13988 x9 : 0000000000000000\n x8 : 0000000000000000 x7 : 0000000000000001 x6 : 0000000000000020\n x5 : 0000000000000030 x4 : 00000000fffffffe x3 : 0000000000000000\n x2 : ffffac9aba78c1c8 x1 : ffffac9aba76d0a8 x0 : 0000000000000008\n Call trace:\n hex_dump_to_buffer+0x30c/0x4a0 (P)\n print_hex_dump+0xac/0x170\n cper_estatus_print_section+0x90c/0x968\n cper_estatus_print+0xf0/0x158\n __ghes_print_estatus+0xa0/0x148\n ghes_proc+0x1bc/0x220\n ghes_notify_hed+0x5c/0xb8\n notifier_call_chain+0x78/0x148\n blocking_notifier_call_chain+0x4c/0x80\n acpi_hed_notify+0x28/0x40\n acpi_ev_notify_dispatch+0x50/0x80\n acpi_os_execute_deferred+0x24/0x48\n process_one_work+0x15c/0x3b0\n worker_thread+0x2d0/0x400\n kthread+0x148/0x228\n ret_from_fork+0x10/0x20\n Code: 6b14033f 540001ad a94707e2 f100029f (b8747b44)\n ---[ end trace 0000000000000000 ]---\n\nPrevent that by taking the actual allocated are into account when\nchecking for CPER length.\n\n[ rjw: Subject tweaks ]"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.35", "versionEndExcluding": "5.10.252", "matchCriteriaId": "D6E3A666-FDAF-4C4C-AFEE-803E15871F9A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.202", "matchCriteriaId": "4002FC2B-1456-4666-B240-0EBF590C4671"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.165", "matchCriteriaId": "797C7F46-D0BE-4FB8-A502-C5EF8E6B6654"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.128", "matchCriteriaId": "851E9353-6C09-4CC9-877E-E09DB164A3C2"}, {"vulnerable": true, "criteria": "cpe:2.3 ... (truncated)