CVE-2026-43348

Source
https://cve.org/CVERecord?id=CVE-2026-43348
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43348.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-43348
Downstream
Related
Published
2026-05-08T13:41:51.909Z
Modified
2026-06-18T03:54:53.894579703Z
Summary
mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER
Details

In the Linux kernel, the following vulnerability has been resolved:

mshvvtl: Fix vmemmapshift exceeding MAXFOLIOORDER

When registering VTL0 memory via MSHVADDVTL0MEMORY, the kernel computes pgmap->vmemmapshift as the number of trailing zeros in the OR of startpfn and lastpfn, intending to use the largest compound page order both endpoints are aligned to.

However, this value is not clamped to MAXFOLIOORDER, so a sufficiently aligned range (e.g. physical range [0x800000000000, 0x800080000000), corresponding to startpfn=0x800000000 with 35 trailing zeros) can produce a shift larger than what memremappages() accepts, triggering a WARN and returning -EINVAL:

WARNING: ... memremap_pages+0x512/0x650 requested folio size unsupported

The MAXFOLIOORDER check was added by commit 646b67d57589 ("mm/memremap: reject unreasonable folio/compound page sizes in memremap_pages()").

Fix this by clamping vmemmapshift to MAXFOLIO_ORDER so we always request the largest order the kernel supports, in those cases, rather than an out-of-range value.

Also fix the error path to propagate the actual error code from devmmemremappages() instead of hard-coding -EFAULT, which was masking the real -EINVAL return.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43348.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7bfe3b8ea6e30437e01fcb8e4f56ef6e4d986d0f
Fixed
a142ca4b6481e71498712800b20e0c0fcf02843b
Fixed
404cd6bffe17e25e0f94ed2775ffdd6cd10ac3fd

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43348.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.2

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43348.json"