CVE-2026-43486: Kernel Contpte Fault in Linux Kernel
Plattform
linux
Komponente
linux
Behoben in
97c5550b763171dbef61e6239cab372b9f9cd4a2
CVE-2026-43486 addresses a flaw within the Linux Kernel's contpte subsystem. This vulnerability stems from an incorrect check within the setaccessflags() function, potentially leading to incorrect handling of memory access permissions. The issue affects Linux Kernel versions prior to 97c5550b763171dbef61e6239cab372b9f9cd4a2, and a patch has been released to resolve it.
Auswirkungen und Angriffsszenarienwird übersetzt…
The vulnerability lies in the contpteptepsetaccessflags() function, where a comparison against the gathered PTEP value could be misleading. Specifically, ptepget() ORs AF/dirty flags from all sub-PTEs, meaning a dirty sibling PTE could falsely indicate the target is already dirty. This can cause the function to return prematurely, even if the target sub-PTE still has PTERDONLY set in hardware. An attacker could potentially exploit this to bypass access controls and gain unauthorized access to memory regions. While the description mentions FEAT_HAFDBS, the core issue impacts systems regardless of this feature's presence, as the flawed logic remains. The potential impact includes privilege escalation and data breaches.
Ausnutzungskontextwird übersetzt…
The vulnerability was published on 2026-05-13. Its inclusion in the Linux Kernel indicates a significant security concern. As of this writing, there is no indication of this CVE being listed on KEV or having an EPSS score. Public proof-of-concept exploits are currently unknown, but the nature of the vulnerability suggests it could be targeted by advanced persistent threats (APTs) with kernel development expertise. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Betroffene Software
Zeitleiste
- Reserviert
- Veröffentlicht
Mitigation und Workaroundswird übersetzt…
The primary mitigation for CVE-2026-43486 is to upgrade the Linux Kernel to version 97c5550b763171dbef61e6239cab372b9f9cd4a2 or later. Before upgrading, ensure compatibility with existing hardware and software. If a direct upgrade is not feasible due to compatibility issues, consider rolling back to a previous stable kernel version if possible, although this may introduce other vulnerabilities. There are no specific WAF or proxy rules applicable to this kernel-level vulnerability. Monitor kernel logs for any unusual memory access patterns after the upgrade.
So behebenwird übersetzt…
Aplicar la actualización del kernel a la versión 6.9 o superior. Esta actualización corrige un error en el manejo de las señales de fallo de la SMMU/ATS, evitando un posible bucle infinito de fallos en ciertas configuraciones de hardware.
Häufig gestellte Fragenwird übersetzt…
What is CVE-2026-43486 — Kernel Contpte Fault in Linux Kernel?
CVE-2026-43486 is a vulnerability in the Linux Kernel's contpte subsystem where a faulty check in setaccessflags() can lead to incorrect memory access permissions, potentially allowing unauthorized access.
Am I affected by CVE-2026-43486 in Linux Kernel?
You are affected if your Linux Kernel version is prior to 97c5550b763171dbef61e6239cab372b9f9cd4a2. Check your kernel version using uname -r.
How do I fix CVE-2026-43486 in Linux Kernel?
Upgrade your Linux Kernel to version 97c5550b763171dbef61e6239cab372b9f9cd4a2 or later. Ensure compatibility before upgrading.
Is CVE-2026-43486 being actively exploited?
Currently, there are no known public exploits or active campaigns targeting CVE-2026-43486, but the vulnerability's nature suggests it could be a target for advanced attackers.
Where can I find the official Linux advisory for CVE-2026-43486?
Refer to the Linux Kernel security mailing list and relevant distribution security advisories for the official advisory regarding CVE-2026-43486.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Jetzt testen — kein Konto
Laden Sie ein beliebiges Manifest hoch (composer.lock, package-lock.json, WordPress-Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/E-Mail-Benachrichtigungen, mehrere Projekte und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...