CVE-2026-43313

/* * Conceptual Proof of Concept (PoC) for CVE-2026-43313 * This code demonstrates the logic flaw leading to NULL pointer dereference. * Compile as a kernel module to test on vulnerable hardware/kernel. */ #include <linux/module.h> #include <linux/kernel.h> #include <linux/pci.h> void simulate_vulnerable_path(void) { struct pci_dev *dev; bool bmisx = true; // Simulating the errata condition // Step 1: First assignment (IDE device) - Assume Success dev = pci_get_subsys(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82371AB, PCI_ANY_ID, PCI_ANY_ID, NULL); if (dev) { printk(KERN_INFO "[PoC] Step 1: IDE device found at %p\n", dev); } // Step 2: Second assignment (ISA device) - Simulate Failure (returns NULL) // Vulnerability: The code overwrites 'dev' without checking if the new value is NULL dev = pci_get_subsys(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82371AB_0, PCI_ANY_ID, PCI_ANY_ID, NULL); printk(KERN_INFO "[PoC] Step 2: ISA device lookup returned %p\n", dev); // Step 3: Trigger the dereference if (bmisx) { // This line causes the crash if dev is NULL printk(KERN_INFO "[PoC] Attempting to access dev->dev...\n"); // dev_dbg(&dev->dev, "Triggering vulnerability"); // Original vulnerable call if (dev == NULL) { printk(KERN_ALERT "[PoC] NULL Pointer Dereference Imminent!\n"); // To actually crash, we would dereference dev here, e.g., dev->dev; } else { printk(KERN_INFO "[PoC] Safe, dev is not NULL.\n"); } } } int init_module(void) { printk(KERN_INFO "CVE-2026-43313 PoC Module Loaded\n"); // In a real scenario, this logic is called during ACPI init // simulate_vulnerable_path(); return 0; } void cleanup_module(void) { printk(KERN_INFO "CVE-2026-43313 PoC Module Unloaded\n"); } MODULE_LICENSE("GPL");

{"cve": {"id": "CVE-2026-43313", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T14:16:39.710", "lastModified": "2026-05-15T17:09:58.483", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()\n\nIn acpi_processor_errata_piix4(), the pointer dev is first assigned an IDE\ndevice and then reassigned an ISA device:\n\n dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB, ...);\n dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB_0, ...);\n\nIf the first lookup succeeds but the second fails, dev becomes NULL. This\nleads to a potential null-pointer dereference when dev_dbg() is called:\n\n if (errata.piix4.bmisx)\n dev_dbg(&dev->dev, ...);\n\nTo prevent this, use two temporary pointers and retrieve each device\nindependently, avoiding overwriting dev with a possible NULL value.\n\n[ rjw: Subject adjustment, added an empty code line ]"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12.1", "versionEndExcluding": "5.15.202", "matchCriteriaId": "13FF04FC-408D-490E-93F8-68442FA765B0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.165", "matchCriteriaId": "797C7F46-D0BE-4FB8-A502-C5EF8E6B6654"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.128", "matchCriteriaId": "851E9353-6C09-4CC9-877E-E09DB164A3C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.75", "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*", "matchCriteriaId": "6F62EECE-8FB1-4D57-85D8-CB9E23CF313C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*", "matchCriteriaId": "4F76C298-81DC-43E4-8FC9-DC005A2116EF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*", "matchCriteriaId": "0AB349B2-3F78-4197-882B-90ADB3BF645A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*", "matchCriteriaId": "6AC88830-A9BC-4607-B572-A4B502FC9FD0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*", "matchCriteriaId": "476CB3A5-D022-4F13-AAEF-CB6A5785516A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/01e8751b37a366b1ca561add0042f2ceb18c03bf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/0398b641be2b66c2fc7e0163c606ef19372e7ad5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/06724a60cfa9767ea90b0f5d3dfb5cdd251b64f5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/29f60d3d06818d40118a30d663231f027ae87a05", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ad86ac604f8391c0212a91412d4f764c7a85f254", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b803811485ac0b2f774b6bf3abc8b999ba3b7033", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f132e089fe89cadc2098991f0a3cb05c3f824ac6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}