CVE-2026-43266

Vulnerability

Description

In the Linux kernel, the GHES/CPER (Generic Hardware Error Source / Common Platform Error Record) handler for ARM processor errors lacks proper validation of the section_length field. While existing logic detects if section_length is too small, it does not check for excessively large values. If firmware provides a malformed CPER record with an inflated section_length and a large ERR_INFO_NUM, the kernel blindly trusts these values, leading to an out-of-bounds memory read beyond the firmware-mapped region [1].

Exploitation

Scenario

An attacker with the ability to inject or manipulate firmware-provided error records (e.g., via physical access, compromised firmware, or a malicious hypervisor) can trigger this vulnerability. No special privileges on the host are required beyond the ability to deliver a crafted CPER record to the kernel's error handling path. The attack surface is limited to systems using ACPI APEI (Advanced Configuration and Power Interface / ACPI Platform Error Interface) with ARM processor error source tables.

Impact

A successful exploit causes the kernel to read and potentially dump an excessive amount of memory from the firmware area, potentially leaking sensitive data or causing a denial of service via log flooding or system instability. The issue is classified as medium severity (CVSS 5.5) due to the requirement of local or adjacent access and the resulting information disclosure.

Mitigation

The fix introduces a check that prevents the kernel from iterating beyond the CPER record buffer when ERR_INFO_NUM is too large. If the size is invalid, the kernel now logs a clear error message and stops processing. The patch has been applied to the stable kernel trees [1]. Users should update to a kernel version containing the fix (e.g., commits referenced in stable repositories).