dcache: Limit the minimal number of bucket to two

Summary

CVE	CVE-2026-43071
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-05 16:16:16 UTC
Updated	2026-06-01 17:17:01 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: dcache: Limit the minimal number of bucket to two There is an OOB read problem on dentry_hashtable when user sets 'dhash_entries=1': BUG: unable to handle page fault for address: ffff888b30b774b0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: Oops: 0000 [#1] SMP PTI RIP: 0010:__d_lookup+0x56/0x120 Call Trace: d_lookup.cold+0x16/0x5d lookup_dcache+0x27/0xf0 lookup_one_qstr_excl+0x2a/0x180 start_dirop+0x55/0xa0 simple_start_creating+0x8d/0xa0 debugfs_start_creating+0x8c/0x180 debugfs_create_dir+0x1d/0x1c0 pinctrl_init+0x6d/0x140 do_one_initcall+0x6d/0x3d0 kernel_init_freeable+0x39f/0x460 kernel_init+0x2a/0x260 There will be only one bucket in dentry_hashtable when dhash_entries is set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then, following process will access more than one buckets(which memory region is not allocated) in dentry_hashtable: d_lookup b = d_hash(hash) dentry_hashtable + ((u32)hashlen >> d_hash_shift) // The C standard defines the behavior of right shift amounts // exceeding the bit width of the operand as undefined. The // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen', // so 'b' will point to an unallocated memory region. hlist_bl_for_each_entry_rcu(b) hlist_bl_first_rcu(head) h->first // read OOB! Fix it by limiting the minimal number of dentry_hashtable bucket to two, so that 'd_hash_shift' won't exceeds the bit width of type u32.

Risk And Classification

Primary CVSS: v3.1 9.1 CRITICAL from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS: 0.000720000 probability, percentile 0.217270000 (date 2026-05-12)

Problem Types: CWE-125

Version	Source	Type	Score	Severity	Vector
3.1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	Secondary	9.1	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H`
3.1	CNA	DECLARED	9.1	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H`

CVSS v3.1 Breakdown

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 99d263d4c5b2f541dfacb5391e22e8c91ea982a6 45b06bb5ea96f75ad81d7ef446f832ea6b0026fe git	Not specified
CNA	Linux	Linux	affected 99d263d4c5b2f541dfacb5391e22e8c91ea982a6 426ef05e82ee52c8d0e95fc0808b7383d8352d73 git	Not specified
CNA	Linux	Linux	affected 99d263d4c5b2f541dfacb5391e22e8c91ea982a6 ddd57ebce245f9c7e2f6902a6c087d6186d2385d git	Not specified
CNA	Linux	Linux	affected 99d263d4c5b2f541dfacb5391e22e8c91ea982a6 755b40903eff563768d4d96fd4ef51ec48adde3b git	Not specified
CNA	Linux	Linux	affected 99d263d4c5b2f541dfacb5391e22e8c91ea982a6 5718df131ab78897a9dd1f2e71c3ba732d4392af git	Not specified
CNA	Linux	Linux	affected 99d263d4c5b2f541dfacb5391e22e8c91ea982a6 277cedabb0ab86baae83fa58218be13c6d3e5526 git	Not specified
CNA	Linux	Linux	affected 99d263d4c5b2f541dfacb5391e22e8c91ea982a6 f08fe8891c3eeb63b73f9f1f6d97aa629c821579 git	Not specified
CNA	Linux	Linux	affected d4c96061fddd129778ce8b70fb093aa532f422d0 git	Not specified
CNA	Linux	Linux	affected be2378cbffe50ce0161f0fdee914adee98af53dc git	Not specified
CNA	Linux	Linux	affected a8be8af18485f9fade90e1743d940252a39eec84 git	Not specified
CNA	Linux	Linux	affected b5cf3193759f7cd1cfbeef11f5cf067bbce22e55 git	Not specified
CNA	Linux	Linux	affected 3.10.55 3.11 semver	Not specified
CNA	Linux	Linux	affected 3.12.29 3.13 semver	Not specified
CNA	Linux	Linux	affected 3.14.19 3.15 semver	Not specified
CNA	Linux	Linux	affected 3.16.3 3.17 semver	Not specified
CNA	Linux	Linux	affected 3.17	Not specified
CNA	Linux	Linux	unaffected 3.17 semver	Not specified
CNA	Linux	Linux	unaffected 6.1.175 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.136 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.83 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.24 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.14 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.1 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1-rc1 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/755b40903eff563768d4d96fd4ef51ec48adde3b	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/426ef05e82ee52c8d0e95fc0808b7383d8352d73	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/5718df131ab78897a9dd1f2e71c3ba732d4392af	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/277cedabb0ab86baae83fa58218be13c6d3e5526	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/f08fe8891c3eeb63b73f9f1f6d97aa629c821579	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/ddd57ebce245f9c7e2f6902a6c087d6186d2385d	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/45b06bb5ea96f75ad81d7ef446f832ea6b0026fe	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.