CVE-2026-43071
Awaiting Analysis Awaiting Analysis - Queue
Out-of-Bounds Read in Linux Kernel dcache

Publication date: 2026-05-05

Last updated on: 2026-05-05

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: dcache: Limit the minimal number of bucket to two There is an OOB read problem on dentry_hashtable when user sets 'dhash_entries=1': BUG: unable to handle page fault for address: ffff888b30b774b0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: Oops: 0000 [#1] SMP PTI RIP: 0010:__d_lookup+0x56/0x120 Call Trace: d_lookup.cold+0x16/0x5d lookup_dcache+0x27/0xf0 lookup_one_qstr_excl+0x2a/0x180 start_dirop+0x55/0xa0 simple_start_creating+0x8d/0xa0 debugfs_start_creating+0x8c/0x180 debugfs_create_dir+0x1d/0x1c0 pinctrl_init+0x6d/0x140 do_one_initcall+0x6d/0x3d0 kernel_init_freeable+0x39f/0x460 kernel_init+0x2a/0x260 There will be only one bucket in dentry_hashtable when dhash_entries is set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then, following process will access more than one buckets(which memory region is not allocated) in dentry_hashtable: d_lookup b = d_hash(hash) dentry_hashtable + ((u32)hashlen >> d_hash_shift) // The C standard defines the behavior of right shift amounts // exceeding the bit width of the operand as undefined. The // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen', // so 'b' will point to an unallocated memory region. hlist_bl_for_each_entry_rcu(b) hlist_bl_first_rcu(head) h->first // read OOB! Fix it by limiting the minimal number of dentry_hashtable bucket to two, so that 'd_hash_shift' won't exceeds the bit width of type u32.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-05
Generated
2026-05-07
AI Q&A
2026-05-05
EPSS Evaluated
N/A
NVD
CVE-2026-43071
EUVD
EUVD-2026-27375
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's dentry_hashtable when the user sets the parameter 'dhash_entries' to 1. It causes an out-of-bounds (OOB) read error because the system allocates only one bucket in the dentry_hashtable, but the code attempts to access more than one bucket. This leads to accessing unallocated memory regions, resulting in a kernel page fault and a crash.

The root cause is that with 'dhash_entries=1', the variable 'd_hash_shift' is set to 32, which causes a right shift operation on a 32-bit value to behave unexpectedly, pointing to memory outside the allocated range. The fix limits the minimal number of buckets in the dentry_hashtable to two, preventing 'd_hash_shift' from exceeding the bit width of the data type and avoiding the out-of-bounds read.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash due to an out-of-bounds read, leading to a denial of service (DoS) condition. Specifically, it triggers a kernel page fault when accessing invalid memory, which can destabilize the system or cause it to become unresponsive.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability is related to an out-of-bounds read in the Linux kernel's dentry_hashtable when the kernel parameter 'dhash_entries' is set to 1.

Detection involves checking if the kernel is configured or running with 'dhash_entries=1', which causes the issue.

You can check the current kernel boot parameters by running the following command:

  • cat /proc/cmdline

Look for 'dhash_entries=1' in the output. If present, the system is potentially vulnerable.

Additionally, kernel logs may show OOPS or page fault messages similar to the following if the vulnerability is triggered:

  • BUG: unable to handle page fault for address: ffff888b30b774b0
  • #PF: supervisor read access in kernel mode
  • Oops: Oops: 0000 [#1] SMP PTI

You can check kernel logs for such messages using:

  • dmesg | grep -i 'BUG\|Oops\|page fault'

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is caused by setting the kernel parameter 'dhash_entries' to 1, which leads to an out-of-bounds read.

Immediate mitigation steps include:

  • Ensure that the kernel parameter 'dhash_entries' is not set to 1. If it is set, change it to 2 or higher.
  • If you have control over kernel boot parameters, remove or adjust 'dhash_entries=1' from the bootloader configuration.
  • Update the Linux kernel to a version where this vulnerability is fixed, which limits the minimal number of dentry_hashtable buckets to two.

These steps will prevent the kernel from accessing unallocated memory regions and avoid the out-of-bounds read.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart