In the Linux kernel, the following vulnerability has been resolved:
APEI/GHES: ARM processor Error: don't go past allocated memory
If the BIOS generates a very small ARM Processor Error, or an incomplete one, the current logic will fail to deferrence
err->section_length
and ctx_info->size
Add checks to avoid that. With such changes, such GHESv2 records won't cause OOPSes like this:
[ 1.492129] Internal error: Oops: 0000000096000005 [#1] SMP [ 1.495449] Modules linked in: [ 1.495820] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.18.0-rc1-00017-gabadcc3553dd-dirty #18 PREEMPT [ 1.496125] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022 [ 1.496433] Workqueue: kacpinotify acpiosexecutedeferred [ 1.496967] pstate: 814000c5 (Nzcv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1.497199] pc : logarmhwerror+0x5c/0x200 [ 1.497380] lr : gheshandlearmhw_error+0x94/0x220
0xffff8000811c5324 is in logarmhwerror (../drivers/ras/ras.c:75). 70 errinfo = (struct cperarmerrinfo *)(err + 1); 71 ctxinfo = (struct cperarmctxinfo *)(errinfo + err->errinfonum); 72 ctxerr = (u8 *)ctxinfo; 73 74 for (n = 0; n < err->contextinfonum; n++) { 75 sz = sizeof(struct cperarmctxinfo) + ctxinfo->size; 76 ctxinfo = (struct cperarmctxinfo *)((long)ctxinfo + sz); 77 ctxlen += sz; 78 } 79
and similar ones while trying to access section_length on an error dump with too small size.
[ rjw: Subject tweaks ]
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43201.json",
"cna_assigner": "Linux"
}