CVE-2026-43200
Description
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: Fix swapped parameters in pci_{primary/secondary}_epc_epf_unlink() functions
struct configfs_item_operations callbacks are defined like the following:
int (*allow_link)(struct config_item *src, struct config_item *target); void (*drop_link)(struct config_item *src, struct config_item *target);
While pci_primary_epc_epf_link() and pci_secondary_epc_epf_link() specify the parameters in the correct order, pci_primary_epc_epf_unlink() and pci_secondary_epc_epf_unlink() specify the parameters in the wrong order, leading to the below kernel crash when using the unlink command in configfs:
Unable to handle kernel paging request at virtual address 0000000300000857 Mem abort info: ... pc : string+0x54/0x14c lr : vsnprintf+0x280/0x6e8 ... string+0x54/0x14c vsnprintf+0x280/0x6e8 vprintk_default+0x38/0x4c vprintk+0xc4/0xe0 pci_epf_unbind+0xdc/0x108 configfs_unlink+0xe0/0x208+0x44/0x74 vfs_unlink+0x120/0x29c __arm64_sys_unlinkat+0x3c/0x90 invoke_syscall+0x48/0x134 do_el0_svc+0x1c/0x30prop.0+0xd0/0xf0
[mani: cced stable, changed commit message as per https://lore.kernel.org/linux-pci/aV9joi3jF1R6ca02@ryzen]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, swapped parameters in PCI endpoint configfs unlink functions cause a NULL pointer dereference and kernel crash when unlinking configfs entries.
Vulnerability
Details
In the Linux kernel, the pci_primary_epc_epf_unlink() and pci_secondary_epc_epf_unlink() functions were implemented with the parameters in the wrong order when compared to the configfs_item_operations callback signature. The drop_link callback expects struct config_item *src first and struct config_item *target second, but the PCI endpoint functions passed them in reverse order. This mismatch leads to accessing incorrect memory, resulting in a kernel crash as seen in the oops trace [1][4].
Exploitation
An attacker with local access to a system using the PCI endpoint framework and configfs can trigger this bug by issuing an unlink command on a configfs entry that invokes the affected functions. No elevated privileges are required beyond the ability to manipulate configfs entries, which may be available to unprivileged users depending on system configuration. The crash manifests as an "Unable to handle kernel paging request" at virtual address derived from swapped pointers [1][4].
Impact
Successful exploitation causes a denial of service (system crash) due to the kernel panic. The CVSS v3 score of 5.5 (Medium) reflects this local, low-complexity attack vector. There is no indication of privilege escalation or data corruption beyond the immediate crash [1][4].
Mitigation
The fix corrects the parameter order in both unlink functions to match the configfs callback interface. The patch has been applied to the stable kernel tree, and users should update to a kernel containing the fix. No known workarounds exist; the vulnerability is resolved by the kernel patch [1][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/142b1bba3299264b76ed8ef53cd93b2b2af65d6cnvdPatch
- git.kernel.org/stable/c/1c96c1acef4b4a1108fc13f84a8ac0b0633bbb46nvdPatch
- git.kernel.org/stable/c/339191811e6fc4559c4008c5af7a91b05086d596nvdPatch
- git.kernel.org/stable/c/58686bf62cb38b92e4b28408162a5703775b4d12nvdPatch
- git.kernel.org/stable/c/733cbc3aa97e71cc70847e75c925b364cc9b04a6nvdPatch
- git.kernel.org/stable/c/8754dd7639ab0fd68c3ab9d91c7bdecc3e5740a8nvdPatch
- git.kernel.org/stable/c/aefc0e0bd20f54abe3b501b8798c0be656af272bnvdPatch
News mentions
0No linked articles in our index yet.