CVE-2026-43449

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set<br /> <br /> dev-&gt;online_queues is a count incremented in nvme_init_queue. Thus,<br /> valid indices are 0 through dev-&gt;online_queues − 1.<br /> <br /> This patch fixes the loop condition to ensure the index stays within the<br /> valid range. Index 0 is excluded because it is the admin queue.<br /> <br /> KASAN splat:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]<br /> BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404<br /> Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74<br /> <br /> CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> Workqueue: nvme-reset-wq nvme_reset_work<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0xce/0x5d0 mm/kasan/report.c:482<br /> kasan_report+0xdc/0x110 mm/kasan/report.c:595<br /> __asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379<br /> nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]<br /> nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404<br /> nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252<br /> process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257<br /> process_scheduled_works kernel/workqueue.c:3340 [inline]<br /> worker_thread+0x65c/0xe60 kernel/workqueue.c:3421<br /> kthread+0x41a/0x930 kernel/kthread.c:463<br /> ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246<br /> <br /> <br /> Allocated by task 34 on cpu 1 at 4.241550s:<br /> kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57<br /> kasan_save_track+0x1c/0x70 mm/kasan/common.c:78<br /> kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570<br /> poison_kmalloc_redzone mm/kasan/common.c:398 [inline]<br /> __kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415<br /> kasan_kmalloc include/linux/kasan.h:263 [inline]<br /> __do_kmalloc_node mm/slub.c:5657 [inline]<br /> __kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663<br /> kmalloc_array_node_noprof include/linux/slab.h:1075 [inline]<br /> nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline]<br /> nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534<br /> local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324<br /> pci_call_probe drivers/pci/pci-driver.c:392 [inline]<br /> __pci_device_probe drivers/pci/pci-driver.c:417 [inline]<br /> pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451<br /> call_driver_probe drivers/base/dd.c:583 [inline]<br /> really_probe+0x29b/0xb70 drivers/base/dd.c:661<br /> __driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803<br /> driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833<br /> __driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159<br /> async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129<br /> process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257<br /> process_scheduled_works kernel/workqueue.c:3340 [inline]<br /> worker_thread+0x65c/0xe60 kernel/workqueue.c:3421<br /> kthread+0x41a/0x930 kernel/kthread.c:463<br /> ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246<br /> <br /> The buggy address belongs to the object at ffff88800592a000<br /> which belongs to the cache kmalloc-2k of size 2048<br /> The buggy address is located 244 bytes to the right of<br /> allocated 1152-byte region [ffff88800592a000, ffff88800592a480)<br /> <br /> The buggy address belongs to the physical page:<br /> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928<br /> head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0<br /> anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff)<br /> page_type: f5(slab)<br /> raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001<br /> raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000<br /> head: 000fffffc0000040 ffff888001042000 00000<br /> ---truncated---