9.1

CVE-2026-43071

dcache: Limit the minimal number of bucket to two

In the Linux kernel, the following vulnerability has been resolved:

dcache: Limit the minimal number of bucket to two

There is an OOB read problem on dentry_hashtable when user sets
'dhash_entries=1':
  BUG: unable to handle page fault for address: ffff888b30b774b0
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  Oops: Oops: 0000 [#1] SMP PTI
  RIP: 0010:__d_lookup+0x56/0x120
   Call Trace:
    d_lookup.cold+0x16/0x5d
    lookup_dcache+0x27/0xf0
    lookup_one_qstr_excl+0x2a/0x180
    start_dirop+0x55/0xa0
    simple_start_creating+0x8d/0xa0
    debugfs_start_creating+0x8c/0x180
    debugfs_create_dir+0x1d/0x1c0
    pinctrl_init+0x6d/0x140
    do_one_initcall+0x6d/0x3d0
    kernel_init_freeable+0x39f/0x460
    kernel_init+0x2a/0x260

There will be only one bucket in dentry_hashtable when dhash_entries is
set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then,
following process will access more than one buckets(which memory region
is not allocated) in dentry_hashtable:
 d_lookup
  b = d_hash(hash)
    dentry_hashtable + ((u32)hashlen >> d_hash_shift)
    // The C standard defines the behavior of right shift amounts
    // exceeding the bit width of the operand as undefined. The
    // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',
    // so 'b' will point to an unallocated memory region.
  hlist_bl_for_each_entry_rcu(b)
   hlist_bl_first_rcu(head)
    h->first  // read OOB!

Fix it by limiting the minimal number of dentry_hashtable bucket to two,
so that 'd_hash_shift' won't exceeds the bit width of type u32.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 3.10.55 < 3.11
LinuxLinux Kernel Version >= 3.12.29 < 3.13
LinuxLinux Kernel Version >= 3.14.19 < 3.15
LinuxLinux Kernel Version >= 3.16.3 < 3.17
LinuxLinux Kernel Version >= 3.17.1 < 6.6.136
LinuxLinux Kernel Version >= 6.7 < 6.12.83
LinuxLinux Kernel Version >= 6.13 < 6.18.24
LinuxLinux Kernel Version >= 6.19 < 6.19.14
LinuxLinux Kernel Version >= 7.0 < 7.0.1
LinuxLinux Kernel Version3.17 Update-
LinuxLinux Kernel Version3.17 Updaterc5
LinuxLinux Kernel Version3.17 Updaterc6
LinuxLinux Kernel Version3.17 Updaterc7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.39% 0.306
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/277cedabb0ab86baae83fa58218be13c6d3e5526
Patch
https://git.kernel.org/stable/c/426ef05e82ee52c8d0e95fc0808b7383d8352d73
Patch
https://git.kernel.org/stable/c/5718df131ab78897a9dd1f2e71c3ba732d4392af
Patch
https://git.kernel.org/stable/c/755b40903eff563768d4d96fd4ef51ec48adde3b
Patch
https://git.kernel.org/stable/c/ddd57ebce245f9c7e2f6902a6c087d6186d2385d
Patch
https://git.kernel.org/stable/c/f08fe8891c3eeb63b73f9f1f6d97aa629c821579
Patch
https://git.kernel.org/stable/c/45b06bb5ea96f75ad81d7ef446f832ea6b0026fe