CVE-2026-43129
Page Fault in Linux Kernel IMA Buffer Validation
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Linux kernel's Integrity Measurement Architecture (IMA) when the second-stage kernel is booted via kexec with a limiting command line such as "mem=<size>". In this scenario, the IMA measurement buffer handed over from the previous kernel may lie outside the addressable RAM of the new kernel. Accessing this buffer can cause a page fault during early restore, leading to a kernel crash or instability.
The issue specifically affects x86_64 architectures and is caused by the kernel attempting to access memory that is not mapped or addressable in the new kernel environment. The patch introduces a helper function, ima_validate_range(), to verify that the previous kernel's IMA buffer lies within the addressable memory range before accessing it.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to experience a page fault and potentially crash or become unstable during the boot process when using kexec with memory limiting parameters. This can lead to system downtime or failure to boot properly, impacting system availability and reliability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a page fault during the boot of a second-stage kernel via kexec when the IMA measurement buffer from the previous kernel lies outside the addressable RAM of the new kernel.
Detection involves observing kernel logs for page fault errors related to ima_restore_measurement_list, such as:
- BUG: unable to handle page fault for address: ffff97793ff47000
- RIP: ima_restore_measurement_list+0xdc/0x45a
- #PF: error_code(0x0000) not-present page
You can check kernel logs using commands like:
- dmesg | grep -i ima_restore_measurement_list
- journalctl -k | grep -i page\ fault
Additionally, verifying the memory range of the previous kernel's IMA buffer against the current kernel's addressable RAM can help detect the issue, but no specific commands are provided in the context.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by a patch that introduces a validation step to ensure the previous kernel's IMA buffer lies within addressable RAM before accessing it.
Immediate mitigation steps include:
- Apply the patch series "Address page fault in ima_restore_measurement_list()" (version 3) to your Linux kernel.
- Avoid booting the second-stage kernel with limiting command lines such as "mem=<size>" that could cause the IMA buffer to fall outside addressable memory.
- Upgrade to a kernel version that includes the fix, which introduces the ima_validate_range() helper to verify the IMA buffer range.