CVE-2026-43445

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> e1000/e1000e: Fix leak in DMA error cleanup<br /> <br /> If an error is encountered while mapping TX buffers, the driver should<br /> unmap any buffers already mapped for that skb.<br /> <br /> Because count is incremented after a successful mapping, it will always<br /> match the correct number of unmappings needed when dma_error is reached.<br /> Decrementing count before the while loop in dma_error causes an<br /> off-by-one error. If any mapping was successful before an unsuccessful<br /> mapping, exactly one DMA mapping would leak.<br /> <br /> In these commits, a faulty while condition caused an infinite loop in<br /> dma_error:<br /> Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000e<br /> driver")<br /> Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver")<br /> <br /> Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of<br /> unsigned in *_tx_map()") fixed the infinite loop, but introduced the<br /> off-by-one error.<br /> <br /> This issue may still exist in the igbvf driver, but I did not address it<br /> in this patch.