CVE-2026-43210

In the Linux kernel's ring-buffer subsystem, the function rb_read_data_buffer() is used to validate ring-buffer data, typically during early boot. The vulnerability arises because the code does not verify the length of an event before using it to compute the address of the next event. If the event length is corrupted or out of bounds, the pointer arithmetic e + len can point to an arbitrary memory location, leading to an invalid memory access [1].

An attacker with the ability to influence the contents of a ring buffer—for example, by providing a crafted kernel image or through a compromised hypervisor—could exploit this missing check. The function is invoked during boot-time ring-buffer validation, so no authentication or special privileges are required beyond the ability to supply the corrupted buffer data. The attack surface is limited to scenarios where the ring buffer data is untrusted, such as when loading a kernel from a potentially malicious source.

The impact of a successful exploit is a kernel crash (denial of service) or, in some cases, an out-of-bounds read that could leak sensitive kernel memory. The CVSS v3 score of 5.5 (Medium) reflects the requirement for local access or a specific trusted-boot context, but the consequence can be system instability or information disclosure.

The fix, committed to the Linux kernel stable tree, adds a length check before using the event length to advance to the next event. Users are advised to update to a kernel version containing the patch, identified by commit 5026010110a5 [1] and its backports to stable branches.