CVE-2026-43266

Source
https://cve.org/CVERecord?id=CVE-2026-43266
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43266.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-43266
Downstream
Published
2026-05-06T11:28:52.238Z
Modified
2026-06-18T03:54:34.550637709Z
Summary
EFI/CPER: don't go past the ARM processor CPER record buffer
Details

In the Linux kernel, the following vulnerability has been resolved:

EFI/CPER: don't go past the ARM processor CPER record buffer

There's a logic inside GHES/CPER to detect if the section_length is too small, but it doesn't detect if it is too big.

Currently, if the firmware receives an ARM processor CPER record stating that a section length is big, kernel will blindly trust sectionlength, producing a very long dump. For instance, a 67 bytes record with ERRINFO_NUM set 46198 and section length set to 854918320 would dump a lot of data going a way past the firmware memory-mapped area.

Fix it by adding a logic to prevent it to go past the buffer if ERRINFONUM is too big, making it report instead:

[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1
[Hardware Error]: event severity: recoverable
[Hardware Error]:  Error 0, type: recoverable
[Hardware Error]:   section_type: ARM processor error
[Hardware Error]:   MIDR: 0xff304b2f8476870a
[Hardware Error]:   section length: 854918320, CPER size: 67
[Hardware Error]:   section length is too big
[Hardware Error]:   firmware-generated error record is incorrect
[Hardware Error]:   ERR_INFO_NUM is 46198

[ rjw: Subject and changelog tweaks ]

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43266.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2f74f09bce4f8d0236f20174a6daae63e10fe733
Fixed
c80113dcfc807308f5ab33847fae77e07531aeb8
Fixed
ca2aad8771aa9091bc9e42e7d546bd40b72ddcd4
Fixed
a68d22902a6916e10ee235fee609239004e129d0
Fixed
64eb63f573f497553e1a0c388bbcdd639e0f0704
Fixed
be10c1bdf64a39832998f54900aa309b3917abcf
Fixed
25b290624b0e3d2f0f90238709ee0b6009b9fde8
Fixed
45766863baf899059e75595dd3cb1116467f2095
Fixed
eae21beecb95a3b69ee5c38a659f774e171d730e

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43266.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.13.0
Fixed
5.10.252
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.202
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.165
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.128
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.16
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.6

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43266.json"