CVE-2026-45851
Description
In the Linux kernel, the following vulnerability has been resolved:
efi: Fix reservation of unaccepted memory table
The reserve_unaccepted() function incorrectly calculates the size of the memblock reservation for the unaccepted memory table. It aligns the size of the table, but fails to account for cases where the table's starting physical address (efi.unaccepted) is not page-aligned.
If the table starts at an offset within a page and its end crosses into a subsequent page that the aligned size does not cover, the end of the table will not be reserved. This can lead to the table being overwritten or inaccessible, causing a kernel panic in accept_memory().
This issue was observed when starting Intel TDX VMs with specific memory sizes (e.g., > 64GB).
Fix this by calculating the end address first (including the unaligned start) and then aligning it up, ensuring the entire range is covered by the reservation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Linux kernel bug in EFI unaccepted memory table reservation can cause kernel panic in Intel TDX VMs with >64GB memory; fixed by correcting alignment calculation.
Vulnerability
The reserve_unaccepted() function in the Linux kernel incorrectly calculates the size of the memblock reservation for the unaccepted memory table. It aligns the size of the table but fails to account for cases where the table's starting physical address (efi.unaccepted) is not page-aligned. If the table starts at an offset within a page and its end crosses into a subsequent page that the aligned size does not cover, the end of the table will not be reserved. This issue affects kernels used in Intel TDX VMs with specific memory sizes (e.g., >64 GB).
Exploitation
An attacker would need to be able to trigger the vulnerable code path in a system where the unaccepted memory table is not page-aligned and the memory size exceeds 64 GB. This typically requires control over the VM configuration or the ability to influence memory layout. No special privileges are needed beyond the ability to boot the affected kernel in such a configuration. The bug manifests during memory acceptance operations, leading to a kernel panic.
Impact
Successful exploitation results in a kernel panic in accept_memory(), causing a denial of service. The unaccepted memory table may be overwritten or become inaccessible, leading to system instability or crash. No privilege escalation or data confidentiality impact is described.
Mitigation
The fix is included in commit e649b5916725c68f44ebf45fb396df563c5dbaf2 in the Linux kernel stable tree [1]. Users should update to a kernel version containing this commit. No workaround is documented; systems not using Intel TDX or with memory sizes below 64 GB are not affected. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
10ba6b6f1502faefi: Fix reservation of unaccepted memory table
2 files changed · +8 −10
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index acabc856fe8a58..0d1a65879a3586 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -667,13 +667,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index acabc856fe8a58..0d1a65879a3586 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -667,13 +667,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
9b18bf59977fefi: Fix reservation of unaccepted memory table
2 files changed · +8 −10
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index fc407d891348f0..c3cf5541ed682f 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -691,13 +691,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index fc407d891348f0..c3cf5541ed682f 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -691,13 +691,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
e649b5916725efi: Fix reservation of unaccepted memory table
2 files changed · +8 −10
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 17b5f3415465ed..92e91c3eb4690e 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -692,13 +692,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 17b5f3415465ed..92e91c3eb4690e 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -692,13 +692,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
0862438c9048efi: Fix reservation of unaccepted memory table
2 files changed · +8 −10
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 111e87a618e5f2..56e9d73412faac 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -692,13 +692,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 111e87a618e5f2..56e9d73412faac 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -692,13 +692,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
b7bc182ec184efi: Fix reservation of unaccepted memory table
2 files changed · +8 −10
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 1ab161e00c8679..ef55e3851b3623 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -648,13 +648,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 1ab161e00c8679..ef55e3851b3623 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -648,13 +648,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
9b18bf59977fefi: Fix reservation of unaccepted memory table
2 files changed · +8 −10
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index fc407d891348f0..c3cf5541ed682f 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -691,13 +691,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index fc407d891348f0..c3cf5541ed682f 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -691,13 +691,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
b7bc182ec184efi: Fix reservation of unaccepted memory table
2 files changed · +8 −10
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 1ab161e00c8679..ef55e3851b3623 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -648,13 +648,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 1ab161e00c8679..ef55e3851b3623 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -648,13 +648,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
ba6b6f1502faefi: Fix reservation of unaccepted memory table
2 files changed · +8 −10
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index acabc856fe8a58..0d1a65879a3586 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -667,13 +667,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index acabc856fe8a58..0d1a65879a3586 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -667,13 +667,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
e649b5916725efi: Fix reservation of unaccepted memory table
2 files changed · +8 −10
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 17b5f3415465ed..92e91c3eb4690e 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -692,13 +692,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 17b5f3415465ed..92e91c3eb4690e 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -692,13 +692,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
0862438c9048efi: Fix reservation of unaccepted memory table
2 files changed · +8 −10
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 111e87a618e5f2..56e9d73412faac 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -692,13 +692,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
drivers/firmware/efi/efi.c+4 −5 modifieddiff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 111e87a618e5f2..56e9d73412faac 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -692,13 +692,13 @@ static __init int match_config_table(const efi_guid_t *guid, static __init void reserve_unaccepted(struct efi_unaccepted_memory *unaccepted) { - phys_addr_t start, size; + phys_addr_t start, end; start = PAGE_ALIGN_DOWN(efi.unaccepted); - size = PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size); + end = PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size); - memblock_add(start, size); - memblock_reserve(start, size); + memblock_add(start, end - start); + memblock_reserve(start, end - start); } int __init efi_config_parse_tables(const efi_config_table_t *config_tables, -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Incorrect memblock reservation size calculation in reserve_unaccepted() that aligns only the table's content size without accounting for a non-page-aligned starting address, causing the last page of the table to be unreserved."
Attack vector
An attacker who can influence the physical placement of the EFI unaccepted memory table (e.g., via firmware configuration in an Intel TDX VM with specific memory sizes >64GB) can cause the table to start at a non-page-aligned address. The flawed size calculation in `reserve_unaccepted()` then fails to reserve the final page of the table, allowing that page to be overwritten by subsequent memory allocations. When the kernel later calls `accept_memory()` to access the table, it reads corrupted data, leading to a kernel panic.
Affected code
The bug is in the `reserve_unaccepted()` function in `drivers/firmware/efi/efi.c` [patch_id=2662096]. The function is responsible for reserving the EFI unaccepted memory table in the memblock allocator.
What the fix does
The patch replaces the `size` variable with an `end` variable [patch_id=2662096]. Instead of computing `PAGE_ALIGN(sizeof(*unaccepted) + unaccepted->size)` (which aligns only the table's content size, ignoring the unaligned start offset), the fix computes `PAGE_ALIGN(efi.unaccepted + sizeof(*unaccepted) + unaccepted->size)` — the true end physical address of the table — and then aligns that end upward. The reservation size is then `end - start`, which correctly covers the full range from the page-aligned start through the page-aligned end, including any partial page at the beginning.
Preconditions
- inputThe EFI unaccepted memory table's physical address (efi.unaccepted) must not be page-aligned.
- configThe system must be an Intel TDX VM (or similar confidential computing environment) using the unaccepted memory mechanism.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/0862438c90487e79822d5647f854977d50381505nvd
- git.kernel.org/stable/c/9b18bf59977f5c5bc3b11b210520f62500a7adf3nvd
- git.kernel.org/stable/c/b7bc182ec1846be437351e44164089d988f9d0ddnvd
- git.kernel.org/stable/c/ba6b6f1502fa55621d1db23f253d54322bdbe4e0nvd
- git.kernel.org/stable/c/e649b5916725c68f44ebf45fb396df563c5dbaf2nvd
News mentions
0No linked articles in our index yet.