CVE-2026-43347
Description
In the Linux kernel, the following vulnerability has been resolved:
arm64: dts: qcom: monaco: Reserve full Gunyah metadata region
We observe spurious "Synchronous External Abort" exceptions (ESR=0x96000010) and kernel crashes on Monaco-based platforms. These faults are caused by the kernel inadvertently accessing hypervisor-owned memory that is not properly marked as reserved.
>From boot log, The Qualcomm hypervisor reports the memory range at 0x91a80000 of size 0x80000 (512 KiB) as hypervisor-owned: qhee_hyp_assign_remove_memory: 0x91a80000/0x80000 -> ret 0
However, the EFI memory map provided by firmware only reserves the subrange 0x91a40000–0x91a87fff (288 KiB). The remaining portion (0x91a88000–0x91afffff) is incorrectly reported as conventional memory (from efi debug): efi: 0x000091a40000-0x000091a87fff [Reserved...] efi: 0x000091a88000-0x0000938fffff [Conventional...]
As a result, the allocator may hand out PFNs inside the hypervisor owned region, causing fatal aborts when the kernel accesses those addresses.
Add a reserved-memory carveout for the Gunyah hypervisor metadata at 0x91a80000 (512 KiB) and mark it as no-map so Linux does not map or allocate from this area.
For the record: Hyp version: gunyah-e78adb36e debug (2025-11-17 05:38:05 UTC) UEFI Ver: 6.0.260122.BOOT.MXF.1.0.c1-00449-KODIAKLA-1
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, the arm64 device tree for Qualcomm Monaco fails to fully reserve the Gunyah hypervisor metadata region, causing the kernel to access hypervisor-owned memory and triggering Synchronous External Abort exceptions.
The vulnerability stems from an incomplete memory reservation in the ARM64 device tree for Qualcomm Monaco. The hypervisor (Gunyah) reports a memory region at 0x91a80000 (512 KiB) as hypervisor-owned, but the EFI memory map only reserves the subrange 0x91a40000–0x91a87fff (288 KiB). The remainder (0x91a88000–0x91afffff) is incorrectly marked as conventional memory, allowing the kernel to allocate and access pages that belong to the hypervisor [1].
Exploitation occurs when the kernel inadvertently accesses these improperly reserved addresses, leading to a Synchronous External Abort (ESR=0x96000010). This can be triggered by any memory allocation or access that touches the disputed region, potentially through normal system operations or deliberate actions by an attacker. No special privileges are required beyond the ability to influence memory allocation on the target system.
The primary impact is a denial of service, as the system crashes due to the external abort. The CVSS v3 score of 7.5 (High) reflects the high availability impact, as the vulnerability can be reliably exploited to cause a system panic.
The fix, applied in the Linux kernel, adds a reserved-memory carveout for the full 512 KiB Gunyah metadata region at 0x91a80000 with the no-map flag, preventing the kernel from mapping or allocating from this area. Users are advised to update to a patched kernel version from the stable branch [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.