CVE-2026-43473

/* * PoC for CVE-2026-43473 * This code attempts to interact with the mpi3mr driver to trigger the queue reset logic. * Successful exploitation requires the driver to be loaded and vulnerable. */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #define MPI3MR_DRIVER_PATH "/dev/mpi3mrctl" // Hypothetical device node int main() { int fd; printf("[*] Attempting to open %s...\n", MPI3MR_DRIVER_PATH); // Open the device node fd = open(MPI3MR_DRIVER_PATH, O_RDWR); if (fd < 0) { perror("[-] Failed to open device"); return 1; } printf("[+] Device opened. Triggering queue reset logic...\n"); /* * In a real scenario, a specific IOCTL or command sequence would be sent * to force the driver into a state where queue creation fails, * followed by a reset operation that triggers the NULL pointer dereference. * Since the specific IOCTL is not disclosed, this is a placeholder for the trigger. */ // Example: Sending a command that might stress the queue allocation // ioctl(fd, SOME_VULNERABLE_IOCTL, NULL); printf("[*] If the kernel is vulnerable, a crash (Oops/Panic) may occur now.\n"); close(fd); return 0; }

{"cve": {"id": "CVE-2026-43473", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:17:00.453", "lastModified": "2026-05-21T14:59:03.313", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Add NULL checks when resetting request and reply queues\n\nThe driver encountered a crash during resource cleanup when the reply and\nrequest queues were NULL due to freed memory. This issue occurred when the\ncreation of reply or request queues failed, and the driver freed the memory\nfirst, but attempted to mem set the content of the freed memory, leading to\na system crash.\n\nAdd NULL pointer checks for reply and request queues before accessing the\nreply/request memory during cleanup"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "6.1.167", "matchCriteriaId": "E7A9A910-FB79-4BDA-9F21-34A651CE6253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.130", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.78", "matchCriteriaId": "28D591F5-B196-4CC9-905C-DC80F116E7A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.19", "matchCriteriaId": "D394AC60-6F28-435F-872A-CCDF384B8331"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.9", "matchCriteriaId": "E825E7C3-FEAC-4FD3-8A81-78D7387948C9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/220d7ca70611a73d50ef8e9edac630ed1ececb7c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/78d3f201f8b609928eade53cf03a52df5415aaf7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7da755e0d02e9ca035065127e108d1fed8950dc8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7df0296ad4e9253d12c6dbe7f120044dddc95600", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e978a36f332ede78eb4de037b517db16265d420d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fa96392ebebc8fade2b878acb14cce0f71016503", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}