CVE-2026-43331

MEDIUM EPSS 2.3%
Published May 8, 20261mo ago · Modified Jun 19, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published May 8, 2026 1mo ago
Last Modified Jun 19, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: x86/kexec: Disable KCOV instrumentation after load_segments() The load_segments() function changes segment registers, invalidating GS base (which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, any subsequent instrumented C code call (e.g. native_gdt_invalidate()) begins crashing the kernel in an endless loop. To reproduce the problem, it's sufficient to do kexec on a KCOV-instrumented kernel: $ kexec -l /boot/otherKernel $ kexec -e The real-world context for this problem is enabling crash dump collection in syzkaller. For this, the tool loads a panic kernel before fuzzing and then calls makedumpfile after the panic. This workflow requires both CONFIG_KEXEC and CONFIG_KCOV to be enabled simultaneously. Adding safeguards directly to the KCOV fast-path (__sanitizer_cov_trace_pc()) is also undesirable as it would introduce an extra performance overhead. Disabling instrumentation for the individual functions would be too fragile, so disable KCOV instrumentation for the entire machine_kexec_64.c and physaddr.c. If coverage-guided fuzzing ever needs these components in the future, other approaches should be considered. The problem is not relevant for 32 bit kernels as CONFIG_KCOV is not supported there. [ bp: Space out comment for better readability. ]

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 8

VendorProductVersionRange
linuxlinux_kernel*≥6.6  –  <6.18.22
linuxlinux_kernel*≥6.19  –  <6.19.12
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 5

  • git.kernel.org https://git.kernel.org/stable/c/0e96cd314c0d819c1635d68125a4d77852c2162e
  • git.kernel.org https://git.kernel.org/stable/c/1e3e98596c2769721ade0418434852fb3af4849a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/593d67032544b9271094fc9b43e437e017cb2b2f
  • git.kernel.org https://git.kernel.org/stable/c/917e3ad3321e75ca0223d5ccf26ceda116aa51e1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/de05c66fab8847237a9ca216934e56d3ee837f08
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/1e3e98596c2769721ade0418434852fb3af4849a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/917e3ad3321e75ca0223d5ccf26ceda116aa51e1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/de05c66fab8847237a9ca216934e56d3ee837f08
    Patch