CVE-2026-43449
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
08/05/2026
Last modified:
12/05/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set<br />
<br />
dev->online_queues is a count incremented in nvme_init_queue. Thus,<br />
valid indices are 0 through dev->online_queues − 1.<br />
<br />
This patch fixes the loop condition to ensure the index stays within the<br />
valid range. Index 0 is excluded because it is the admin queue.<br />
<br />
KASAN splat:<br />
<br />
==================================================================<br />
BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]<br />
BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404<br />
Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74<br />
<br />
CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary)<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br />
Workqueue: nvme-reset-wq nvme_reset_work<br />
Call Trace:<br />
<br />
__dump_stack lib/dump_stack.c:94 [inline]<br />
dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120<br />
print_address_description mm/kasan/report.c:378 [inline]<br />
print_report+0xce/0x5d0 mm/kasan/report.c:482<br />
kasan_report+0xdc/0x110 mm/kasan/report.c:595<br />
__asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379<br />
nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]<br />
nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404<br />
nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252<br />
process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257<br />
process_scheduled_works kernel/workqueue.c:3340 [inline]<br />
worker_thread+0x65c/0xe60 kernel/workqueue.c:3421<br />
kthread+0x41a/0x930 kernel/kthread.c:463<br />
ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158<br />
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246<br />
<br />
<br />
Allocated by task 34 on cpu 1 at 4.241550s:<br />
kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57<br />
kasan_save_track+0x1c/0x70 mm/kasan/common.c:78<br />
kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570<br />
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]<br />
__kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415<br />
kasan_kmalloc include/linux/kasan.h:263 [inline]<br />
__do_kmalloc_node mm/slub.c:5657 [inline]<br />
__kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663<br />
kmalloc_array_node_noprof include/linux/slab.h:1075 [inline]<br />
nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline]<br />
nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534<br />
local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324<br />
pci_call_probe drivers/pci/pci-driver.c:392 [inline]<br />
__pci_device_probe drivers/pci/pci-driver.c:417 [inline]<br />
pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451<br />
call_driver_probe drivers/base/dd.c:583 [inline]<br />
really_probe+0x29b/0xb70 drivers/base/dd.c:661<br />
__driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803<br />
driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833<br />
__driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159<br />
async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129<br />
process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257<br />
process_scheduled_works kernel/workqueue.c:3340 [inline]<br />
worker_thread+0x65c/0xe60 kernel/workqueue.c:3421<br />
kthread+0x41a/0x930 kernel/kthread.c:463<br />
ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158<br />
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246<br />
<br />
The buggy address belongs to the object at ffff88800592a000<br />
which belongs to the cache kmalloc-2k of size 2048<br />
The buggy address is located 244 bytes to the right of<br />
allocated 1152-byte region [ffff88800592a000, ffff88800592a480)<br />
<br />
The buggy address belongs to the physical page:<br />
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928<br />
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0<br />
anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff)<br />
page_type: f5(slab)<br />
raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001<br />
raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000<br />
head: 000fffffc0000040 ffff888001042000 00000<br />
---truncated---
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/2b9d605c3f0d3262142f196249cd3bd58c857c71
- https://git.kernel.org/stable/c/328c551f0cc81ee776b186b86cc6e5253bb6fda7
- https://git.kernel.org/stable/c/50bad78f03a02d3c0f228edf9912b494d3e7acb9
- https://git.kernel.org/stable/c/78279d2d74c58a0ed64e43cf601a02649771182e
- https://git.kernel.org/stable/c/83e6edd6358326c9c2de31a54bb4a1ec50703f1f
- https://git.kernel.org/stable/c/86183d550559e45e07059bbdf17331fea469e38c
- https://git.kernel.org/stable/c/b4e78f1427c7d6859229ae9616df54e1fc05a516
- https://git.kernel.org/stable/c/d7990c936e25f484b61a5adeeadc1d290a9fd16e