CVE-2026-43201
Description
In the Linux kernel, the following vulnerability has been resolved:
APEI/GHES: ARM processor Error: don't go past allocated memory
If the BIOS generates a very small ARM Processor Error, or an incomplete one, the current logic will fail to deferrence
err->section_length and ctx_info->size
Add checks to avoid that. With such changes, such GHESv2 records won't cause OOPSes like this:
[ 1.492129] Internal error: Oops: 0000000096000005 [#1] SMP [ 1.495449] Modules linked in: [ 1.495820] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.18.0-rc1-00017-gabadcc3553dd-dirty #18 PREEMPT [ 1.496125] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022 [ 1.496433] Workqueue: kacpi_notify acpi_os_execute_deferred [ 1.496967] pstate: 814000c5 (Nzcv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1.497199] pc : log_arm_hw_error+0x5c/0x200 [ 1.497380] lr : ghes_handle_arm_hw_error+0x94/0x220
0xffff8000811c5324 is in log_arm_hw_error (../drivers/ras/ras.c:75). 70 err_info = (struct cper_arm_err_info *)(err + 1); 71 ctx_info = (struct cper_arm_ctx_info *)(err_info + err->err_info_num); 72 ctx_err = (u8 *)ctx_info; 73 74 for (n = 0; n < err->context_info_num; n++) { 75 sz = sizeof(struct cper_arm_ctx_info) + ctx_info->size; 76 ctx_info = (struct cper_arm_ctx_info *)((long)ctx_info + sz); 77 ctx_len += sz; 78 } 79
and similar ones while trying to access section_length on an error dump with too small size.
[ rjw: Subject tweaks ]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, a missing bounds check in APEI/GHES ARM Processor Error handling can cause an Oops or panic when processing malformed error records.
Vulnerability
A flaw in the Linux kernel's APEI/GHES (Generic Hardware Error Source) subsystem for ARM Processor Errors can lead to a system crash. The function log_arm_hw_error() iterates over error context information without verifying that the reported section_length or context info size fields stay within the allocated memory buffer. If a BIOS or firmware generates a very small or incomplete ARM Processor Error record, the kernel may read beyond the provided data, triggering an Oops (kernel panic) as shown in the reported crash trace [1].
Exploitation
An attacker with the ability to supply malformed ARM Processor Error records—typically through ACPI firmware tables or via GHESv2 notifications—can trigger the out-of-bounds read. No special privileges are required beyond the ability to influence the error data (e.g., via physical access or compromised firmware). The vulnerability can be exploited locally from kernel context, as the error handling runs in a workqueue (kworker) during ACPI notification processing.
Impact
Successful exploitation results in a denial of service (DoS) due to an Oops or kernel panic. The system crashes, potentially causing data loss or interruption of services. The crash message indicates an internal error at log_arm_hw_error+0x5c due to accessing invalid memory.
Mitigation
The fix adds proper bounds checks for err->section_length and ctx_info->size before using them as loop counters or pointer offsets. Patches have been applied to the Linux kernel stable trees; users should update to kernels containing the commits referenced in [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 6.18.0-rc1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026