CVE-2026-43331
KCOV Instrumentation Disabled in Linux Kernel After load_segments
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel related to the interaction between the load_segments() function and KCOV instrumentation. The load_segments() function changes segment registers, which invalidates the GS base that KCOV relies on for per-CPU data. When CONFIG_KCOV is enabled, any subsequent instrumented C code call, such as native_gdt_invalidate(), causes the kernel to crash in an endless loop.
The issue occurs specifically when performing a kexec on a KCOV-instrumented kernel, which is a process used to load and execute a new kernel without rebooting the hardware. This problem is particularly relevant in scenarios like enabling crash dump collection in syzkaller, where both CONFIG_KEXEC and CONFIG_KCOV need to be enabled simultaneously.
The fix involves disabling KCOV instrumentation for the entire machine_kexec_64.c and physaddr.c files to avoid crashes, as adding safeguards to the KCOV fast-path would introduce performance overhead and disabling instrumentation for individual functions would be fragile.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to crash in an endless loop when performing kexec on a kernel instrumented with KCOV. This can disrupt system stability and availability, especially in environments that rely on crash dump collection and kernel fuzzing tools like syzkaller.
Systems that enable both CONFIG_KEXEC and CONFIG_KCOV simultaneously are at risk of kernel crashes during kernel loading operations, potentially leading to downtime or loss of data if the system cannot recover gracefully.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the issue on a system with both CONFIG_KEXEC and CONFIG_KCOV enabled. Specifically, running the following commands on a KCOV-instrumented kernel can trigger the problem:
- $ kexec -l /boot/otherKernel
- $ kexec -e
If the kernel crashes in an endless loop after these commands, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, the KCOV instrumentation should be disabled after the load_segments() function is called. Specifically, the fix involves disabling KCOV instrumentation for the entire machine_kexec_64.c and physaddr.c components to prevent kernel crashes.
Avoid enabling both CONFIG_KEXEC and CONFIG_KCOV simultaneously on 64-bit kernels until the fix is applied, especially if using crash dump collection workflows like syzkaller.