CVE-2026-43071
Analyzed Analyzed - Analysis Complete
Out-of-Bounds Read in Linux Kernel dcache

Publication date: 2026-05-05

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: dcache: Limit the minimal number of bucket to two There is an OOB read problem on dentry_hashtable when user sets 'dhash_entries=1': BUG: unable to handle page fault for address: ffff888b30b774b0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: Oops: 0000 [#1] SMP PTI RIP: 0010:__d_lookup+0x56/0x120 Call Trace: d_lookup.cold+0x16/0x5d lookup_dcache+0x27/0xf0 lookup_one_qstr_excl+0x2a/0x180 start_dirop+0x55/0xa0 simple_start_creating+0x8d/0xa0 debugfs_start_creating+0x8c/0x180 debugfs_create_dir+0x1d/0x1c0 pinctrl_init+0x6d/0x140 do_one_initcall+0x6d/0x3d0 kernel_init_freeable+0x39f/0x460 kernel_init+0x2a/0x260 There will be only one bucket in dentry_hashtable when dhash_entries is set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then, following process will access more than one buckets(which memory region is not allocated) in dentry_hashtable: d_lookup b = d_hash(hash) dentry_hashtable + ((u32)hashlen >> d_hash_shift) // The C standard defines the behavior of right shift amounts // exceeding the bit width of the operand as undefined. The // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen', // so 'b' will point to an unallocated memory region. hlist_bl_for_each_entry_rcu(b) hlist_bl_first_rcu(head) h->first // read OOB! Fix it by limiting the minimal number of dentry_hashtable bucket to two, so that 'd_hash_shift' won't exceeds the bit width of type u32.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43071
EUVD
EUVD-2026-27375
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 3.17
linux linux_kernel 3.17
linux linux_kernel 3.17
linux linux_kernel 3.17
linux linux_kernel From 3.10.55 (inc) to 3.11 (exc)
linux linux_kernel From 3.12.29 (inc) to 3.13 (exc)
linux linux_kernel From 3.14.19 (inc) to 3.15 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.24 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.14 (exc)
linux linux_kernel From 7.0 (inc) to 7.0.1 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.83 (exc)
linux linux_kernel From 3.17.1 (inc) to 6.6.136 (exc)
linux linux_kernel From 3.16.3 (inc) to 3.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's dentry_hashtable when the user sets the parameter 'dhash_entries' to 1. It causes an out-of-bounds (OOB) read error because the system allocates only one bucket in the dentry_hashtable, but the code attempts to access more than one bucket. This leads to accessing unallocated memory regions, resulting in a kernel page fault and a crash.

The root cause is that with 'dhash_entries=1', the variable 'd_hash_shift' is set to 32, which causes a right shift operation on a 32-bit value to behave unexpectedly, pointing to memory outside the allocated range. The fix limits the minimal number of buckets in the dentry_hashtable to two, preventing 'd_hash_shift' from exceeding the bit width of the data type and avoiding the out-of-bounds read.

Impact Analysis

This vulnerability can cause the Linux kernel to crash due to an out-of-bounds read, leading to a denial of service (DoS) condition. Specifically, it triggers a kernel page fault when accessing invalid memory, which can destabilize the system or cause it to become unresponsive.

Detection Guidance

This vulnerability is related to an out-of-bounds read in the Linux kernel's dentry_hashtable when the kernel parameter 'dhash_entries' is set to 1.

Detection involves checking if the kernel is configured or running with 'dhash_entries=1', which causes the issue.

You can check the current kernel boot parameters by running the following command:

  • cat /proc/cmdline

Look for 'dhash_entries=1' in the output. If present, the system is potentially vulnerable.

Additionally, kernel logs may show OOPS or page fault messages similar to the following if the vulnerability is triggered:

  • BUG: unable to handle page fault for address: ffff888b30b774b0
  • #PF: supervisor read access in kernel mode
  • Oops: Oops: 0000 [#1] SMP PTI

You can check kernel logs for such messages using:

  • dmesg | grep -i 'BUG\|Oops\|page fault'
Mitigation Strategies

The vulnerability is caused by setting the kernel parameter 'dhash_entries' to 1, which leads to an out-of-bounds read.

Immediate mitigation steps include:

  • Ensure that the kernel parameter 'dhash_entries' is not set to 1. If it is set, change it to 2 or higher.
  • If you have control over kernel boot parameters, remove or adjust 'dhash_entries=1' from the bootloader configuration.
  • Update the Linux kernel to a version where this vulnerability is fixed, which limits the minimal number of dentry_hashtable buckets to two.

These steps will prevent the kernel from accessing unallocated memory regions and avoid the out-of-bounds read.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43071. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart