CVE-2026-43169

MEDIUM EPSS 2.8%
Published May 6, 20261mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published May 6, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: drm/buddy: Prevent BUG_ON by validating rounded allocation When DRM_BUDDY_CONTIGUOUS_ALLOCATION is set, the requested size is rounded up to the next power-of-two via roundup_pow_of_two(). Similarly, for non-contiguous allocations with large min_block_size, the size is aligned up via round_up(). Both operations can produce a rounded size that exceeds mm->size, which later triggers BUG_ON(order > mm->max_order). Example scenarios: - 9G CONTIGUOUS allocation on 10G VRAM memory: roundup_pow_of_two(9G) = 16G > 10G - 9G allocation with 8G min_block_size on 10G VRAM memory: round_up(9G, 8G) = 16G > 10G Fix this by checking the rounded size against mm->size. For non-contiguous or range allocations where size > mm->size is invalid, return -EINVAL immediately. For contiguous allocations without range restrictions, allow the request to fall through to the existing __alloc_contig_try_harder() fallback. This ensures invalid user input returns an error or uses the fallback path instead of hitting BUG_ON. v2: (Matt A) - Add Fixes, Cc stable, and Closes tags for context

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 3

VendorProductVersionRange
linuxlinux_kernel*≥6.7  –  <6.12.75
linuxlinux_kernel*≥6.13  –  <6.18.16
linuxlinux_kernel*≥6.19  –  <6.19.6

References 4

  • git.kernel.org https://git.kernel.org/stable/c/5488a29596cdba93a60a79398dc9b69d5bdadf92
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6236c1cd9fdf433d39ed28b2491ccdfe7ae95061
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d764b8dd420098a4d253b8a5b27568c897edb2cf
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ecb32c60d8cbed2ee9ce9f343b6aa2f32babc727
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/5488a29596cdba93a60a79398dc9b69d5bdadf92
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6236c1cd9fdf433d39ed28b2491ccdfe7ae95061
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d764b8dd420098a4d253b8a5b27568c897edb2cf
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ecb32c60d8cbed2ee9ce9f343b6aa2f32babc727
    Patch