VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 1, 2026· Updated May 8, 2026

CVE-2026-43034

CVE-2026-43034

Description

In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: set backing store type from query type

bnxt_hwrm_func_backing_store_qcaps_v2() stores resp->type from the firmware response in ctxm->type and later uses that value to index fixed backing-store metadata arrays such as ctx_arr[] and bnxt_bstore_to_trace[].

ctxm->type is fixed by the current backing-store query type and matches the array index of ctx->ctx_arr. Set ctxm->type from the current loop variable instead of depending on resp->type.

Also update the loop to advance type from next_valid_type in the for statement, which keeps the control flow simpler for non-valid and unchanged entries.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel bnxt_en driver, a bug in backing store type handling could cause out-of-bounds access due to using firmware response type instead of loop variable.

Vulnerability

Analysis

In the Linux kernel's bnxt_en driver, the function bnxt_hwrm_func_backing_store_qcaps_v2() stores resp->type from the firmware response into ctxm->type. This value is later used to index fixed backing-store metadata arrays such as ctx_arr[] and bnxt_bstore_to_trace[]. However, the correct index should be derived from the current loop variable, not from the potentially untrusted firmware response. This misassignment could lead to out-of-bounds array access if the firmware returns an unexpected type value.

Exploitation

Prerequisites

The bug is triggered during normal driver operation when the driver queries firmware capabilities via the HWRM interface. An attacker would need to be able to influence the firmware response, such as through a malicious PCIe device or compromised firmware. No special privileges are required beyond the ability to cause the driver to perform a backing store query, which occurs during device initialization.

Impact

If successfully exploited, the out-of-bounds access could corrupt kernel memory, leading to a system crash (denial of service) or potentially privilege escalation. The vulnerability is rated with a CVSS v3 score of 5.5 (Medium), indicating a moderate severity.

Mitigation

Patches have been applied to the Linux kernel stable branches to fix the issue by setting ctxm->type from the loop variable and updating the loop to advance the type from next_valid_type. Users should update their kernels to the latest stable release to mitigate this vulnerability.

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

8
  • Linux/Kernel7 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.8,<6.18.22
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
  • Linux/bnxt_enllm-create

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.