CVE-2026-43489

EPSS 0.02%
Veröffentlicht 13.05.2026 15:08:33
Zuletzt bearbeitet 13.05.2026 16:16:52
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

liveupdate: luo_file: remember retrieve() status

In the Linux kernel, the following vulnerability has been resolved:

liveupdate: luo_file: remember retrieve() status

LUO keeps track of successful retrieve attempts on a LUO file.  It does so
to avoid multiple retrievals of the same file.  Multiple retrievals cause
problems because once the file is retrieved, the serialized data
structures are likely freed and the file is likely in a very different
state from what the code expects.

The retrieve boolean in struct luo_file keeps track of this, and is passed
to the finish callback so it knows what work was already done and what it
has left to do.

All this works well when retrieve succeeds.  When it fails,
luo_retrieve_file() returns the error immediately, without ever storing
anywhere that a retrieve was attempted or what its error code was.  This
results in an errored LIVEUPDATE_SESSION_RETRIEVE_FD ioctl to userspace,
but nothing prevents it from trying this again.

The retry is problematic for much of the same reasons listed above.  The
file is likely in a very different state than what the retrieve logic
normally expects, and it might even have freed some serialization data
structures.  Attempting to access them or free them again is going to
break things.

For example, if memfd managed to restore 8 of its 10 folios, but fails on
the 9th, a subsequent retrieve attempt will try to call
kho_restore_folio() on the first folio again, and that will fail with a
warning since it is an invalid operation.

Apart from the retry, finish() also breaks.  Since on failure the
retrieved bool in luo_file is never touched, the finish() call on session
close will tell the file handler that retrieve was never attempted, and it
will try to access or free the data structures that might not exist, much
in the same way as the retry attempt.

There is no sane way of attempting the retrieve again.  Remember the error
retrieve returned and directly return it on a retry.  Also pass this
status code to finish() so it can make the right decision on the work it
needs to do.

This is done by changing the bool to an integer.  A value of 0 means
retrieve was never attempted, a positive value means it succeeded, and a
negative value means it failed and the error code is the value.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 5

CNA 2 VulnDex Vulnerability Enrichment 11

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version 7c722a7f44e0c1f9714084152226bc7bd644b7e3

Version < 1d3ad69484dc1cc53be62d2554e7ef038a627af9

Status affected

Version 7c722a7f44e0c1f9714084152226bc7bd644b7e3

Version < f85b1c6af5bc3872f994df0a5688c1162de07a62

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 6.19

Status affected

Version 0

Version < 6.19

Status unaffected

Version <= 6.19.*

Version 6.19.9

Status unaffected

Version <= *

Version 7.0

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.051

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://git.kernel.org/stable/c/1d3ad69484dc1cc53be62d2554e7ef038a627af9

https://git.kernel.org/stable/c/f85b1c6af5bc3872f994df0a5688c1162de07a62

https://nvd.nist.gov/vuln/detail/CVE-2026-43489

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-43489

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-43489

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-43489