VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 6, 2026· Updated May 11, 2026

CVE-2026-43129

CVE-2026-43129

Description

In the Linux kernel, the following vulnerability has been resolved:

ima: verify the previous kernel's IMA buffer lies in addressable RAM

Patch series "Address page fault in ima_restore_measurement_list()", v3.

When the second-stage kernel is booted via kexec with a limiting command line such as "mem=" we observe a pafe fault that happens.

BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) not-present page

This happens on x86_64 only, as this is already fixed in aarch64 in commit: cbf9c4b9617b ("of: check previous kernel's ima-kexec-buffer against memory bounds")

This patch (of 3):

When the second-stage kernel is booted with a limiting command line (e.g. "mem="), the IMA measurement buffer handed over from the previous kernel may fall outside the addressable RAM of the new kernel. Accessing such a buffer can fault during early restore.

Introduce a small generic helper, ima_validate_range(), which verifies that a physical [start, end] range for the previous-kernel IMA buffer lies within addressable memory: - On x86, use pfn_range_is_mapped(). - On OF based architectures, use page_is_ram().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, the IMA measurement buffer from a previous kernel may not be in addressable RAM during kexec with memory limits, causing a page fault; fixed by adding a range validation check.

Vulnerability

CVE-2026-43129 is a vulnerability in the Linux kernel's Integrity Measurement Architecture (IMA) subsystem. When a second-stage kernel is booted via kexec with a limiting command line (e.g., mem=), the IMA measurement buffer handed over from the previous kernel may reside outside the new kernel's addressable RAM. Accessing such a buffer during early restore triggers a page fault, as observed in the bug report.

Exploitation

An attacker with the ability to control the kexec boot command line (e.g., by adjusting mem=) could potentially trigger this page fault. The vulnerability is exploitable only on x86_64 systems; it was already fixed on aarch64 by commit cbf9c4b9617b [1]. Exploitation requires physical access or privileged control over the kernel boot parameters, and the system must be configured for kexec.

Impact

Successful exploitation results in a kernel page fault, likely causing a system crash (denial of service). The crash occurs during early boot of the second kernel, preventing the system from starting. No privilege escalation or data integrity impact is described.

Mitigation

The fix introduces a generic helper, ima_validate_range(), which verifies that the physical address range of the previous-kernel IMA buffer lies within addressable memory. On x86, it uses pfn_range_is_mapped(); on OF-based architectures, it uses page_is_ram() [2][3][4]. The patch series has been applied to the Linux kernel stable branches. Users should update to a patched kernel version.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

1