{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-43071","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-01T14:12:55.982Z","datePublished":"2026-05-05T15:29:28.081Z","dateUpdated":"2026-05-11T22:17:09.382Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:17:09.382Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndcache: Limit the minimal number of bucket to two\n\nThere is an OOB read problem on dentry_hashtable when user sets\n'dhash_entries=1':\n  BUG: unable to handle page fault for address: ffff888b30b774b0\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  Oops: Oops: 0000 [#1] SMP PTI\n  RIP: 0010:__d_lookup+0x56/0x120\n   Call Trace:\n    d_lookup.cold+0x16/0x5d\n    lookup_dcache+0x27/0xf0\n    lookup_one_qstr_excl+0x2a/0x180\n    start_dirop+0x55/0xa0\n    simple_start_creating+0x8d/0xa0\n    debugfs_start_creating+0x8c/0x180\n    debugfs_create_dir+0x1d/0x1c0\n    pinctrl_init+0x6d/0x140\n    do_one_initcall+0x6d/0x3d0\n    kernel_init_freeable+0x39f/0x460\n    kernel_init+0x2a/0x260\n\nThere will be only one bucket in dentry_hashtable when dhash_entries is\nset as one, and d_hash_shift is calculated as 32 by dcache_init(). Then,\nfollowing process will access more than one buckets(which memory region\nis not allocated) in dentry_hashtable:\n d_lookup\n  b = d_hash(hash)\n    dentry_hashtable + ((u32)hashlen >> d_hash_shift)\n    // The C standard defines the behavior of right shift amounts\n    // exceeding the bit width of the operand as undefined. The\n    // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',\n    // so 'b' will point to an unallocated memory region.\n  hlist_bl_for_each_entry_rcu(b)\n   hlist_bl_first_rcu(head)\n    h->first  // read OOB!\n\nFix it by limiting the minimal number of dentry_hashtable bucket to two,\nso that 'd_hash_shift' won't exceeds the bit width of type u32."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","baseScore":9.1,"baseSeverity":"CRITICAL"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/dcache.c"],"versions":[{"version":"99d263d4c5b2f541dfacb5391e22e8c91ea982a6","lessThan":"426ef05e82ee52c8d0e95fc0808b7383d8352d73","status":"affected","versionType":"git"},{"version":"99d263d4c5b2f541dfacb5391e22e8c91ea982a6","lessThan":"ddd57ebce245f9c7e2f6902a6c087d6186d2385d","status":"affected","versionType":"git"},{"version":"99d263d4c5b2f541dfacb5391e22e8c91ea982a6","lessThan":"755b40903eff563768d4d96fd4ef51ec48adde3b","status":"affected","versionType":"git"},{"version":"99d263d4c5b2f541dfacb5391e22e8c91ea982a6","lessThan":"5718df131ab78897a9dd1f2e71c3ba732d4392af","status":"affected","versionType":"git"},{"version":"99d263d4c5b2f541dfacb5391e22e8c91ea982a6","lessThan":"277cedabb0ab86baae83fa58218be13c6d3e5526","status":"affected","versionType":"git"},{"version":"99d263d4c5b2f541dfacb5391e22e8c91ea982a6","lessThan":"f08fe8891c3eeb63b73f9f1f6d97aa629c821579","status":"affected","versionType":"git"},{"version":"d4c96061fddd129778ce8b70fb093aa532f422d0","status":"affected","versionType":"git"},{"version":"be2378cbffe50ce0161f0fdee914adee98af53dc","status":"affected","versionType":"git"},{"version":"a8be8af18485f9fade90e1743d940252a39eec84","status":"affected","versionType":"git"},{"version":"b5cf3193759f7cd1cfbeef11f5cf067bbce22e55","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/dcache.c"],"versions":[{"version":"3.17","status":"affected"},{"version":"0","lessThan":"3.17","status":"unaffected","versionType":"semver"},{"version":"6.6.136","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.83","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.24","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.14","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0.1","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1-rc1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"6.6.136"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"6.12.83"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"6.18.24"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"6.19.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"7.0.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"7.1-rc1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10.55"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.12.29"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.14.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16.3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/426ef05e82ee52c8d0e95fc0808b7383d8352d73"},{"url":"https://git.kernel.org/stable/c/ddd57ebce245f9c7e2f6902a6c087d6186d2385d"},{"url":"https://git.kernel.org/stable/c/755b40903eff563768d4d96fd4ef51ec48adde3b"},{"url":"https://git.kernel.org/stable/c/5718df131ab78897a9dd1f2e71c3ba732d4392af"},{"url":"https://git.kernel.org/stable/c/277cedabb0ab86baae83fa58218be13c6d3e5526"},{"url":"https://git.kernel.org/stable/c/f08fe8891c3eeb63b73f9f1f6d97aa629c821579"}],"title":"dcache: Limit the minimal number of bucket to two","x_generator":{"engine":"bippy-1.2.0"}}}}