{"id":"CVE-2026-43277","summary":"APEI/GHES: ensure that won't go past CPER allocated record","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nAPEI/GHES: ensure that won't go past CPER allocated record\n\nThe logic at ghes_new() prevents allocating too large records, by\nchecking if they're bigger than GHES_ESTATUS_MAX_SIZE (currently, 64KB).\nYet, the allocation is done with the actual number of pages from the\nCPER bios table location, which can be smaller.\n\nYet, a bad firmware could send data with a different size, which might\nbe bigger than the allocated memory, causing an OOPS:\n\n    Unable to handle kernel paging request at virtual address fff00000f9b40000\n    Mem abort info:\n      ESR = 0x0000000096000007\n      EC = 0x25: DABT (current EL), IL = 32 bits\n      SET = 0, FnV = 0\n      EA = 0, S1PTW = 0\n      FSC = 0x07: level 3 translation fault\n    Data abort info:\n      ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n      CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n      GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n    swapper pgtable: 4k pages, 52-bit VAs, pgdp=000000008ba16000\n    [fff00000f9b40000] pgd=180000013ffff403, p4d=180000013fffe403, pud=180000013f85b403, pmd=180000013f68d403, pte=0000000000000000\n    Internal error: Oops: 0000000096000007 [#1]  SMP\n    Modules linked in:\n    CPU: 0 UID: 0 PID: 303 Comm: kworker/0:1 Not tainted 6.19.0-rc1-00002-gda407d200220 #34 PREEMPT\n    Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022\n    Workqueue: kacpi_notify acpi_os_execute_deferred\n    pstate: 214020c5 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n    pc : hex_dump_to_buffer+0x30c/0x4a0\n    lr : hex_dump_to_buffer+0x328/0x4a0\n    sp : ffff800080e13880\n    x29: ffff800080e13880 x28: ffffac9aba86f6a8 x27: 0000000000000083\n    x26: fff00000f9b3fffc x25: 0000000000000004 x24: 0000000000000004\n    x23: ffff800080e13905 x22: 0000000000000010 x21: 0000000000000083\n    x20: 0000000000000001 x19: 0000000000000008 x18: 0000000000000010\n    x17: 0000000000000001 x16: 00000007c7f20fec x15: 0000000000000020\n    x14: 0000000000000008 x13: 0000000000081020 x12: 0000000000000008\n    x11: ffff800080e13905 x10: ffff800080e13988 x9 : 0000000000000000\n    x8 : 0000000000000000 x7 : 0000000000000001 x6 : 0000000000000020\n    x5 : 0000000000000030 x4 : 00000000fffffffe x3 : 0000000000000000\n    x2 : ffffac9aba78c1c8 x1 : ffffac9aba76d0a8 x0 : 0000000000000008\n    Call trace:\n     hex_dump_to_buffer+0x30c/0x4a0 (P)\n     print_hex_dump+0xac/0x170\n     cper_estatus_print_section+0x90c/0x968\n     cper_estatus_print+0xf0/0x158\n     __ghes_print_estatus+0xa0/0x148\n     ghes_proc+0x1bc/0x220\n     ghes_notify_hed+0x5c/0xb8\n     notifier_call_chain+0x78/0x148\n     blocking_notifier_call_chain+0x4c/0x80\n     acpi_hed_notify+0x28/0x40\n     acpi_ev_notify_dispatch+0x50/0x80\n     acpi_os_execute_deferred+0x24/0x48\n     process_one_work+0x15c/0x3b0\n     worker_thread+0x2d0/0x400\n     kthread+0x148/0x228\n     ret_from_fork+0x10/0x20\n    Code: 6b14033f 540001ad a94707e2 f100029f (b8747b44)\n    ---[ end trace 0000000000000000 ]---\n\nPrevent that by taking the actual allocated are into account when\nchecking for CPER length.\n\n[ rjw: Subject tweaks ]","modified":"2026-06-18T03:56:11.772266176Z","published":"2026-05-06T11:28:59.486Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43277.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/616c120dcdf1ce96edcd818e38bce49667f80689"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6f5d41984ad896736c23e2fff7c80e15c1319132"},{"type":"WEB","url":"https://git.kernel.org/stable/c/92ba79074c58e65a6e32713758c5a9aecd33c2ea"},{"type":"WEB","url":"https://git.kernel.org/stable/c/98bd9b28d4d11e6739ad86524b4be4ada9025e60"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b6be51a12441136fdf8c49b2525689fbea1856e1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e0ec99115e135dbb58e11a0df007c7d4771d4a17"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f3740a1562445f36f08afab8af59e37117b3acdc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fa2408a24f8f0db14d9cfc613ef162dc267d7ad4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43277.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43277"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d334a49113a4a33109fd24e46073280ecd1bea0d"},{"fixed":"92ba79074c58e65a6e32713758c5a9aecd33c2ea"},{"fixed":"616c120dcdf1ce96edcd818e38bce49667f80689"},{"fixed":"f3740a1562445f36f08afab8af59e37117b3acdc"},{"fixed":"e0ec99115e135dbb58e11a0df007c7d4771d4a17"},{"fixed":"b6be51a12441136fdf8c49b2525689fbea1856e1"},{"fixed":"6f5d41984ad896736c23e2fff7c80e15c1319132"},{"fixed":"98bd9b28d4d11e6739ad86524b4be4ada9025e60"},{"fixed":"fa2408a24f8f0db14d9cfc613ef162dc267d7ad4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43277.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.35"},{"fixed":"5.10.252"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.202"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.165"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.128"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.75"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.16"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.6"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43277.json"}}],"schema_version":"1.7.5"}