CVE-2026-43445
Received Received - Intake
Memory Leak in Linux Kernel e1000/e1000e Network Drivers

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: e1000/e1000e: Fix leak in DMA error cleanup If an error is encountered while mapping TX buffers, the driver should unmap any buffers already mapped for that skb. Because count is incremented after a successful mapping, it will always match the correct number of unmappings needed when dma_error is reached. Decrementing count before the while loop in dma_error causes an off-by-one error. If any mapping was successful before an unsuccessful mapping, exactly one DMA mapping would leak. In these commits, a faulty while condition caused an infinite loop in dma_error: Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000e driver") Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver") Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()") fixed the infinite loop, but introduced the off-by-one error. This issue may still exist in the igbvf driver, but I did not address it in this patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43445
EUVD
EUVD-2026-28751
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
intel e1000 *
intel e1000e *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's e1000 and e1000e network drivers. It involves a flaw in the handling of DMA (Direct Memory Access) error cleanup when mapping transmit (TX) buffers. Specifically, if an error occurs while mapping TX buffers, the driver is supposed to unmap any buffers that were already successfully mapped for the socket buffer (skb).

The problem arises because the count of successfully mapped buffers is incremented after each successful mapping, but the code decrements this count before a cleanup loop, causing an off-by-one error. This means that if at least one buffer was successfully mapped before an error, exactly one DMA mapping would leak (not be properly unmapped).

Additionally, earlier commits introduced a faulty while loop condition that caused an infinite loop during DMA error handling, which was later fixed but introduced this off-by-one error. The issue may also exist in the igbvf driver but was not addressed in the patch.


How can this vulnerability impact me? :

This vulnerability can lead to a resource leak in the form of DMA mappings that are not properly cleaned up when an error occurs during buffer mapping. Such leaks can cause increased memory usage and potentially degrade system performance over time.

In worst cases, resource leaks in kernel drivers can contribute to system instability or crashes if resources become exhausted. However, the description does not specify any direct security impact such as privilege escalation or data corruption.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart