CVE-2026-43266
Analyzed Analyzed - Analysis Complete
Buffer Overflow in Linux Kernel EFI/CPER Handling

Publication date: 2026-05-06

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: EFI/CPER: don't go past the ARM processor CPER record buffer There's a logic inside GHES/CPER to detect if the section_length is too small, but it doesn't detect if it is too big. Currently, if the firmware receives an ARM processor CPER record stating that a section length is big, kernel will blindly trust section_length, producing a very long dump. For instance, a 67 bytes record with ERR_INFO_NUM set 46198 and section length set to 854918320 would dump a lot of data going a way past the firmware memory-mapped area. Fix it by adding a logic to prevent it to go past the buffer if ERR_INFO_NUM is too big, making it report instead: [Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1 [Hardware Error]: event severity: recoverable [Hardware Error]: Error 0, type: recoverable [Hardware Error]: section_type: ARM processor error [Hardware Error]: MIDR: 0xff304b2f8476870a [Hardware Error]: section length: 854918320, CPER size: 67 [Hardware Error]: section length is too big [Hardware Error]: firmware-generated error record is incorrect [Hardware Error]: ERR_INFO_NUM is 46198 [ rjw: Subject and changelog tweaks ]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43266
EUVD
EUVD-2026-27665
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.2 (inc) to 6.6.128 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.75 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.16 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.6 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.202 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.165 (exc)
linux linux_kernel From 4.13 (inc) to 5.10.252 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's handling of ARM processor CPER (Common Platform Error Record) records within the EFI/CPER subsystem.

The issue arises because the kernel trusts the section_length field in the CPER record without properly verifying if it is too large. While there is a check to detect if the section_length is too small, there is no check for it being excessively large.

An attacker or faulty firmware can provide a CPER record with an abnormally large section_length value, causing the kernel to dump a very large amount of data beyond the intended firmware memory area. This can lead to improper handling of hardware error records.

The fix involves adding logic to prevent the kernel from processing section_length values that exceed the buffer size, especially when ERR_INFO_NUM is too large, and instead report an error indicating the section length is too big and the firmware-generated error record is incorrect.

Impact Analysis

This vulnerability can cause the Linux kernel to process and dump excessive amounts of data due to an unchecked large section_length in ARM processor CPER records.

Such behavior may lead to system instability, potential denial of service, or exposure of unintended memory contents, which could be exploited by attackers to disrupt system operations or gain unauthorized information.

Detection Guidance

This vulnerability relates to the Linux kernel handling of ARM processor CPER records, where an excessively large section_length can cause a very long dump beyond the firmware memory-mapped area.

Detection would involve monitoring hardware error logs for suspicious or malformed CPER records, especially those indicating unusually large section lengths or errors related to ARM processor error sections.

Typical commands to check hardware error logs on Linux systems include:

  • dmesg | grep -i 'Hardware Error'
  • journalctl -k | grep -i 'Hardware Error'
  • sudo cat /sys/firmware/efi/efivars/* | grep -i 'CPER'

Look for messages similar to the example given in the description, such as 'section length is too big' or 'firmware-generated error record is incorrect'.

Mitigation Strategies

The vulnerability is fixed by adding logic in the Linux kernel to prevent processing CPER records with section lengths that exceed the buffer size.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability.
  • Monitor hardware error logs for suspicious CPER records to detect potential exploitation attempts.
  • If updating the kernel is not immediately possible, consider restricting or monitoring firmware error reporting interfaces to prevent processing of malformed CPER records.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43266. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart