CVE-2026-43331
Modified Modified - Updated After Analysis
KCOV Instrumentation Disabled in Linux Kernel After load_segments

Publication date: 2026-05-08

Last updated on: 2026-06-09

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: x86/kexec: Disable KCOV instrumentation after load_segments() The load_segments() function changes segment registers, invalidating GS base (which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, any subsequent instrumented C code call (e.g. native_gdt_invalidate()) begins crashing the kernel in an endless loop. To reproduce the problem, it's sufficient to do kexec on a KCOV-instrumented kernel: $ kexec -l /boot/otherKernel $ kexec -e The real-world context for this problem is enabling crash dump collection in syzkaller. For this, the tool loads a panic kernel before fuzzing and then calls makedumpfile after the panic. This workflow requires both CONFIG_KEXEC and CONFIG_KCOV to be enabled simultaneously. Adding safeguards directly to the KCOV fast-path (__sanitizer_cov_trace_pc()) is also undesirable as it would introduce an extra performance overhead. Disabling instrumentation for the individual functions would be too fragile, so disable KCOV instrumentation for the entire machine_kexec_64.c and physaddr.c. If coverage-guided fuzzing ever needs these components in the future, other approaches should be considered. The problem is not relevant for 32 bit kernels as CONFIG_KCOV is not supported there. [ bp: Space out comment for better readability. ]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-06-09
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43331
EUVD
EUVD-2026-28615
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.6 (inc) to 6.18.22 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel related to the interaction between the load_segments() function and KCOV instrumentation. The load_segments() function changes segment registers, which invalidates the GS base that KCOV relies on for per-CPU data. When CONFIG_KCOV is enabled, any subsequent instrumented C code call, such as native_gdt_invalidate(), causes the kernel to crash in an endless loop.

The issue occurs specifically when performing a kexec on a KCOV-instrumented kernel, which is a process used to load and execute a new kernel without rebooting the hardware. This problem is particularly relevant in scenarios like enabling crash dump collection in syzkaller, where both CONFIG_KEXEC and CONFIG_KCOV need to be enabled simultaneously.

The fix involves disabling KCOV instrumentation for the entire machine_kexec_64.c and physaddr.c files to avoid crashes, as adding safeguards to the KCOV fast-path would introduce performance overhead and disabling instrumentation for individual functions would be fragile.

Impact Analysis

This vulnerability can cause the Linux kernel to crash in an endless loop when performing kexec on a kernel instrumented with KCOV. This can disrupt system stability and availability, especially in environments that rely on crash dump collection and kernel fuzzing tools like syzkaller.

Systems that enable both CONFIG_KEXEC and CONFIG_KCOV simultaneously are at risk of kernel crashes during kernel loading operations, potentially leading to downtime or loss of data if the system cannot recover gracefully.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the issue on a system with both CONFIG_KEXEC and CONFIG_KCOV enabled. Specifically, running the following commands on a KCOV-instrumented kernel can trigger the problem:

  • $ kexec -l /boot/otherKernel
  • $ kexec -e

If the kernel crashes in an endless loop after these commands, it indicates the presence of the vulnerability.

Mitigation Strategies

To mitigate this vulnerability, the KCOV instrumentation should be disabled after the load_segments() function is called. Specifically, the fix involves disabling KCOV instrumentation for the entire machine_kexec_64.c and physaddr.c components to prevent kernel crashes.

Avoid enabling both CONFIG_KEXEC and CONFIG_KCOV simultaneously on 64-bit kernels until the fix is applied, especially if using crash dump collection workflows like syzkaller.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43331. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart