CVE-2026-43289

/* * Conceptual PoC for CVE-2026-43289 * Triggering the vulnerability requires crafting a purgatory ELF object * with multiple executable sections that have overlapping sh_addr. * * This C code demonstrates the structural requirement. */ #include <stdio.h> #include <stdint.h> // Simulated ELF Section Header structure for demonstration typedef struct { uint32_t sh_name; uint32_t sh_type; uint64_t sh_flags; uint64_t sh_addr; // Virtual address uint64_t sh_offset; uint64_t sh_size; uint32_t sh_link; uint32_t sh_info; uint64_t sh_addralign; uint64_t sh_entsize; } Elf64_Shdr; int main() { printf("CVE-2026-43289 Conceptual Trigger\n"); printf("Condition: Purgatory object with overlapping executable sections.\n"); // To reproduce: Compile a purgatory object where two sections // (e.g., .text and .alt) are assigned the same or overlapping sh_addr. // Example Linker Script logic that causes the issue: // // SECTIONS // { // . = 0x1000; // .text : { *(.text) } /* sh_addr = 0x1000 */ // .text.alt : { *(.text.alt) } /* sh_addr = 0x1000 (Overlap!) */ // } // // Loading this crafted object via kexec_load triggers the WARN. Elf64_Shdr sec1, sec2; sec1.sh_flags = 0x4 | 0x2; // SHF_ALLOC | SHF_EXECINSTR sec1.sh_addr = 0x1000; sec2.sh_flags = 0x4 | 0x2; // SHF_ALLOC | SHF_EXECINSTR sec2.sh_addr = 0x1000; // Overlapping address if (sec1.sh_addr == sec2.sh_addr && (sec1.sh_flags & 0x2)) { printf("[+] Malformed structure generated: Overlapping executable sections detected.\n"); printf("[*] Result: Kernel WARN at kexec_load_purgatory+0x395/0x3c0\n"); } return 0; }

{"cve": {"id": "CVE-2026-43289", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T14:16:35.867", "lastModified": "2026-05-15T16:24:16.027", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkexec: derive purgatory entry from symbol\n\nkexec_load_purgatory() derives image->start by locating e_entry inside an\nSHF_EXECINSTR section. If the purgatory object contains multiple\nexecutable sections with overlapping sh_addr, the entrypoint check can\nmatch more than once and trigger a WARN.\n\nDerive the entry section from the purgatory_start symbol when present and\ncompute image->start from its final placement. Keep the existing e_entry\nfallback for purgatories that do not expose the symbol.\n\nWARNING: kernel/kexec_file.c:1009 at kexec_load_purgatory+0x395/0x3c0, CPU#10: kexec/1784\nCall Trace:\n <TASK>\n bzImage64_load+0x133/0xa00\n __do_sys_kexec_file_load+0x2b3/0x5c0\n do_syscall_64+0x81/0x610\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n[[email protected]: move helper to avoid forward declaration, per Baoquan]"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.287", "versionEndExcluding": "4.20", "matchCriteriaId": "5245350E-E545-446D-A6C0-2E989F3977CB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.248", "versionEndExcluding": "5.5", "matchCriteriaId": "DB73E6A2-799F-4F3F-A41F-D941488D5BBE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.185", "versionEndExcluding": "5.10.252", "matchCriteriaId": "8E1F0730-BAF8-4DD0-8073-01A6332378F0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.118", "versionEndExcluding": "5.15.202", "matchCriteriaId": "33D0D77E-AD7A-466B-AD8C-882989B55DA0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.35", "versionEndExcluding": "6.1.165", "matchCriteriaId": "8E377CC8-FB48-457F-B230-4ED66CC1635A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3.9", "versionEndExcluding": "6.4", "matchCriteriaId": "0F0AC27C-C1AB-49CF-A549-0BF7D8370313"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4.1", "versionEndExcluding": "6.6.128", "matchCriteriaId": "ED949C60-54E9-4E38-BCA0-CA3FD1F24C5B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.75", "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.4:-:*:*:*:*:*:*", "matchCriteriaId": "DE0B0BF6-0EEF-4FAD-927D-7A0DD77BEE75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.4:rc7:*:*:*:*:*:*", "matchCriteriaId": "1D6CAA59-F0EF-4E0B-8C23-EC9535008572"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe: ... (truncated)