CVE-2026-43347
Received Received - Intake
Memory Corruption in Linux Kernel on Qualcomm Monaco Platform

Publication date: 2026-05-08

Last updated on: 2026-05-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: arm64: dts: qcom: monaco: Reserve full Gunyah metadata region We observe spurious "Synchronous External Abort" exceptions (ESR=0x96000010) and kernel crashes on Monaco-based platforms. These faults are caused by the kernel inadvertently accessing hypervisor-owned memory that is not properly marked as reserved. >From boot log, The Qualcomm hypervisor reports the memory range at 0x91a80000 of size 0x80000 (512 KiB) as hypervisor-owned: qhee_hyp_assign_remove_memory: 0x91a80000/0x80000 -> ret 0 However, the EFI memory map provided by firmware only reserves the subrange 0x91a40000–0x91a87fff (288 KiB). The remaining portion (0x91a88000–0x91afffff) is incorrectly reported as conventional memory (from efi debug): efi: 0x000091a40000-0x000091a87fff [Reserved...] efi: 0x000091a88000-0x0000938fffff [Conventional...] As a result, the allocator may hand out PFNs inside the hypervisor owned region, causing fatal aborts when the kernel accesses those addresses. Add a reserved-memory carveout for the Gunyah hypervisor metadata at 0x91a80000 (512 KiB) and mark it as no-map so Linux does not map or allocate from this area. For the record: Hyp version: gunyah-e78adb36e debug (2025-11-17 05:38:05 UTC) UEFI Ver: 6.0.260122.BOOT.MXF.1.0.c1-00449-KODIAKLA-1
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43347
EUVD
EUVD-2026-28631
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
qualcomm linux_kernel *
qualcomm linux_kernel From 2025-11-17 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Linux kernel on Monaco-based platforms using the arm64 architecture. The kernel mistakenly accesses memory owned by the Qualcomm hypervisor, which is not properly marked as reserved in the EFI memory map. Specifically, a portion of the Gunyah hypervisor metadata region is incorrectly reported as conventional memory, leading the kernel's memory allocator to assign physical frames within this hypervisor-owned area.

As a result, when the kernel accesses these addresses, it triggers spurious "Synchronous External Abort" exceptions and causes kernel crashes. The fix involves reserving the full Gunyah metadata region and marking it as no-map so that Linux neither maps nor allocates memory from this sensitive area.

Impact Analysis

This vulnerability can cause unexpected kernel crashes and system instability on affected Monaco-based platforms. The kernel's inadvertent access to hypervisor-owned memory leads to fatal aborts, which can disrupt normal system operations and potentially cause data loss or service interruptions.

Detection Guidance

This vulnerability can be detected by observing spurious "Synchronous External Abort" exceptions (ESR=0x96000010) and kernel crashes on Monaco-based platforms.

From the boot log, you can check for messages indicating that the Qualcomm hypervisor reports a memory range at 0x91a80000 of size 0x80000 (512 KiB) as hypervisor-owned, but the EFI memory map only reserves a subrange, leaving part of the hypervisor-owned memory incorrectly reported as conventional memory.

Commands to inspect the EFI memory map and kernel logs may help detect this issue, such as checking dmesg or journalctl for related abort exceptions and memory reservation messages.

Mitigation Strategies

The vulnerability is mitigated by adding a reserved-memory carveout for the Gunyah hypervisor metadata at 0x91a80000 (512 KiB) and marking it as no-map so that Linux does not map or allocate from this area.

This prevents the kernel from inadvertently accessing hypervisor-owned memory that is not properly marked as reserved, thus avoiding the fatal aborts and kernel crashes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43347. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart