{"api_version":"1","generated_at":"2026-05-11T11:03:33+00:00","cve":"CVE-2026-43449","urls":{"html":"https://cve.report/CVE-2026-43449","api":"https://cve.report/api/cve/CVE-2026-43449.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43449","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43449"},"summary":{"title":"nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set\n\ndev->online_queues is a count incremented in nvme_init_queue. Thus,\nvalid indices are 0 through dev->online_queues − 1.\n\nThis patch fixes the loop condition to ensure the index stays within the\nvalid range. Index 0 is excluded because it is the admin queue.\n\nKASAN splat:\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]\nBUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404\nRead of size 2 at addr ffff88800592a574 by task kworker/u8:5/74\n\nCPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nWorkqueue: nvme-reset-wq nvme_reset_work\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xce/0x5d0 mm/kasan/report.c:482\n kasan_report+0xdc/0x110 mm/kasan/report.c:595\n __asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379\n nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]\n nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404\n nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252\n process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x65c/0xe60 kernel/workqueue.c:3421\n kthread+0x41a/0x930 kernel/kthread.c:463\n ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n </TASK>\n\nAllocated by task 34 on cpu 1 at 4.241550s:\n kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57\n kasan_save_track+0x1c/0x70 mm/kasan/common.c:78\n kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570\n poison_kmalloc_redzone mm/kasan/common.c:398 [inline]\n __kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415\n kasan_kmalloc include/linux/kasan.h:263 [inline]\n __do_kmalloc_node mm/slub.c:5657 [inline]\n __kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663\n kmalloc_array_node_noprof include/linux/slab.h:1075 [inline]\n nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline]\n nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534\n local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324\n pci_call_probe drivers/pci/pci-driver.c:392 [inline]\n __pci_device_probe drivers/pci/pci-driver.c:417 [inline]\n pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451\n call_driver_probe drivers/base/dd.c:583 [inline]\n really_probe+0x29b/0xb70 drivers/base/dd.c:661\n __driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803\n driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833\n __driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159\n async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129\n process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x65c/0xe60 kernel/workqueue.c:3421\n kthread+0x41a/0x930 kernel/kthread.c:463\n ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nThe buggy address belongs to the object at ffff88800592a000\n which belongs to the cache kmalloc-2k of size 2048\nThe buggy address is located 244 bytes to the right of\n allocated 1152-byte region [ffff88800592a000, ffff88800592a480)\n\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928\nhead: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nanon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff)\npage_type: f5(slab)\nraw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001\nraw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000\nhead: 000fffffc0000040 ffff888001042000 00000\n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-08 15:16:57","updated_at":"2026-05-08 15:16:57"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/2b9d605c3f0d3262142f196249cd3bd58c857c71","name":"https://git.kernel.org/stable/c/2b9d605c3f0d3262142f196249cd3bd58c857c71","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/b4e78f1427c7d6859229ae9616df54e1fc05a516","name":"https://git.kernel.org/stable/c/b4e78f1427c7d6859229ae9616df54e1fc05a516","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/78279d2d74c58a0ed64e43cf601a02649771182e","name":"https://git.kernel.org/stable/c/78279d2d74c58a0ed64e43cf601a02649771182e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/328c551f0cc81ee776b186b86cc6e5253bb6fda7","name":"https://git.kernel.org/stable/c/328c551f0cc81ee776b186b86cc6e5253bb6fda7","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/50bad78f03a02d3c0f228edf9912b494d3e7acb9","name":"https://git.kernel.org/stable/c/50bad78f03a02d3c0f228edf9912b494d3e7acb9","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d7990c936e25f484b61a5adeeadc1d290a9fd16e","name":"https://git.kernel.org/stable/c/d7990c936e25f484b61a5adeeadc1d290a9fd16e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/86183d550559e45e07059bbdf17331fea469e38c","name":"https://git.kernel.org/stable/c/86183d550559e45e07059bbdf17331fea469e38c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/83e6edd6358326c9c2de31a54bb4a1ec50703f1f","name":"https://git.kernel.org/stable/c/83e6edd6358326c9c2de31a54bb4a1ec50703f1f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43449","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43449","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0f0d2c876c96d4908a9ef40959a44bec21bdd6cf 2b9d605c3f0d3262142f196249cd3bd58c857c71 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0f0d2c876c96d4908a9ef40959a44bec21bdd6cf 86183d550559e45e07059bbdf17331fea469e38c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0f0d2c876c96d4908a9ef40959a44bec21bdd6cf d7990c936e25f484b61a5adeeadc1d290a9fd16e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0f0d2c876c96d4908a9ef40959a44bec21bdd6cf 83e6edd6358326c9c2de31a54bb4a1ec50703f1f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0f0d2c876c96d4908a9ef40959a44bec21bdd6cf 50bad78f03a02d3c0f228edf9912b494d3e7acb9 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0f0d2c876c96d4908a9ef40959a44bec21bdd6cf 328c551f0cc81ee776b186b86cc6e5253bb6fda7 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0f0d2c876c96d4908a9ef40959a44bec21bdd6cf 78279d2d74c58a0ed64e43cf601a02649771182e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0f0d2c876c96d4908a9ef40959a44bec21bdd6cf b4e78f1427c7d6859229ae9616df54e1fc05a516 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 930bb3092fe606baa23d57ae59b70b291d67a8af git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected fd1c1de8c4589fdd528733bfd01ed0c5f3f69204 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4940816604e3ce7e05e8df297773ee86c0476d48 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 55a3b1ad694631cc2698b5500ac5865d7d0f064e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.10","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.253 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.203 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.167 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.130 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.78 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.19 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.9 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"43449","cve":"CVE-2026-43449","epss":"0.000240000","percentile":"0.070400000","score_date":"2026-05-10","updated_at":"2026-05-11 00:14:41"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/nvme/host/pci.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"2b9d605c3f0d3262142f196249cd3bd58c857c71","status":"affected","version":"0f0d2c876c96d4908a9ef40959a44bec21bdd6cf","versionType":"git"},{"lessThan":"86183d550559e45e07059bbdf17331fea469e38c","status":"affected","version":"0f0d2c876c96d4908a9ef40959a44bec21bdd6cf","versionType":"git"},{"lessThan":"d7990c936e25f484b61a5adeeadc1d290a9fd16e","status":"affected","version":"0f0d2c876c96d4908a9ef40959a44bec21bdd6cf","versionType":"git"},{"lessThan":"83e6edd6358326c9c2de31a54bb4a1ec50703f1f","status":"affected","version":"0f0d2c876c96d4908a9ef40959a44bec21bdd6cf","versionType":"git"},{"lessThan":"50bad78f03a02d3c0f228edf9912b494d3e7acb9","status":"affected","version":"0f0d2c876c96d4908a9ef40959a44bec21bdd6cf","versionType":"git"},{"lessThan":"328c551f0cc81ee776b186b86cc6e5253bb6fda7","status":"affected","version":"0f0d2c876c96d4908a9ef40959a44bec21bdd6cf","versionType":"git"},{"lessThan":"78279d2d74c58a0ed64e43cf601a02649771182e","status":"affected","version":"0f0d2c876c96d4908a9ef40959a44bec21bdd6cf","versionType":"git"},{"lessThan":"b4e78f1427c7d6859229ae9616df54e1fc05a516","status":"affected","version":"0f0d2c876c96d4908a9ef40959a44bec21bdd6cf","versionType":"git"},{"status":"affected","version":"930bb3092fe606baa23d57ae59b70b291d67a8af","versionType":"git"},{"status":"affected","version":"fd1c1de8c4589fdd528733bfd01ed0c5f3f69204","versionType":"git"},{"status":"affected","version":"4940816604e3ce7e05e8df297773ee86c0476d48","versionType":"git"},{"status":"affected","version":"55a3b1ad694631cc2698b5500ac5865d7d0f064e","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/nvme/host/pci.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.10"},{"lessThan":"5.10","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.253","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.203","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.167","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.130","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.78","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.19","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.9","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.253","versionStartIncluding":"5.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.203","versionStartIncluding":"5.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.167","versionStartIncluding":"5.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.130","versionStartIncluding":"5.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.78","versionStartIncluding":"5.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.19","versionStartIncluding":"5.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.9","versionStartIncluding":"5.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"5.10","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.210","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.161","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.81","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9.12","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set\n\ndev->online_queues is a count incremented in nvme_init_queue. Thus,\nvalid indices are 0 through dev->online_queues − 1.\n\nThis patch fixes the loop condition to ensure the index stays within the\nvalid range. Index 0 is excluded because it is the admin queue.\n\nKASAN splat:\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]\nBUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404\nRead of size 2 at addr ffff88800592a574 by task kworker/u8:5/74\n\nCPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nWorkqueue: nvme-reset-wq nvme_reset_work\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xce/0x5d0 mm/kasan/report.c:482\n kasan_report+0xdc/0x110 mm/kasan/report.c:595\n __asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379\n nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]\n nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404\n nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252\n process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x65c/0xe60 kernel/workqueue.c:3421\n kthread+0x41a/0x930 kernel/kthread.c:463\n ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n </TASK>\n\nAllocated by task 34 on cpu 1 at 4.241550s:\n kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57\n kasan_save_track+0x1c/0x70 mm/kasan/common.c:78\n kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570\n poison_kmalloc_redzone mm/kasan/common.c:398 [inline]\n __kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415\n kasan_kmalloc include/linux/kasan.h:263 [inline]\n __do_kmalloc_node mm/slub.c:5657 [inline]\n __kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663\n kmalloc_array_node_noprof include/linux/slab.h:1075 [inline]\n nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline]\n nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534\n local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324\n pci_call_probe drivers/pci/pci-driver.c:392 [inline]\n __pci_device_probe drivers/pci/pci-driver.c:417 [inline]\n pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451\n call_driver_probe drivers/base/dd.c:583 [inline]\n really_probe+0x29b/0xb70 drivers/base/dd.c:661\n __driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803\n driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833\n __driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159\n async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129\n process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x65c/0xe60 kernel/workqueue.c:3421\n kthread+0x41a/0x930 kernel/kthread.c:463\n ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nThe buggy address belongs to the object at ffff88800592a000\n which belongs to the cache kmalloc-2k of size 2048\nThe buggy address is located 244 bytes to the right of\n allocated 1152-byte region [ffff88800592a000, ffff88800592a480)\n\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928\nhead: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nanon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff)\npage_type: f5(slab)\nraw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001\nraw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000\nhead: 000fffffc0000040 ffff888001042000 00000\n---truncated---"}],"providerMetadata":{"dateUpdated":"2026-05-08T14:22:15.276Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/2b9d605c3f0d3262142f196249cd3bd58c857c71"},{"url":"https://git.kernel.org/stable/c/86183d550559e45e07059bbdf17331fea469e38c"},{"url":"https://git.kernel.org/stable/c/d7990c936e25f484b61a5adeeadc1d290a9fd16e"},{"url":"https://git.kernel.org/stable/c/83e6edd6358326c9c2de31a54bb4a1ec50703f1f"},{"url":"https://git.kernel.org/stable/c/50bad78f03a02d3c0f228edf9912b494d3e7acb9"},{"url":"https://git.kernel.org/stable/c/328c551f0cc81ee776b186b86cc6e5253bb6fda7"},{"url":"https://git.kernel.org/stable/c/78279d2d74c58a0ed64e43cf601a02649771182e"},{"url":"https://git.kernel.org/stable/c/b4e78f1427c7d6859229ae9616df54e1fc05a516"}],"title":"nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43449","datePublished":"2026-05-08T14:22:15.276Z","dateReserved":"2026-05-01T14:12:56.010Z","dateUpdated":"2026-05-08T14:22:15.276Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-08 15:16:57","lastModifiedDate":"2026-05-08 15:16:57","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43449","Ordinal":"1","Title":"nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set","CVE":"CVE-2026-43449","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43449","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set\n\ndev->online_queues is a count incremented in nvme_init_queue. Thus,\nvalid indices are 0 through dev->online_queues − 1.\n\nThis patch fixes the loop condition to ensure the index stays within the\nvalid range. Index 0 is excluded because it is the admin queue.\n\nKASAN splat:\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]\nBUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404\nRead of size 2 at addr ffff88800592a574 by task kworker/u8:5/74\n\nCPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nWorkqueue: nvme-reset-wq nvme_reset_work\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xce/0x5d0 mm/kasan/report.c:482\n kasan_report+0xdc/0x110 mm/kasan/report.c:595\n __asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379\n nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]\n nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404\n nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252\n process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x65c/0xe60 kernel/workqueue.c:3421\n kthread+0x41a/0x930 kernel/kthread.c:463\n ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n </TASK>\n\nAllocated by task 34 on cpu 1 at 4.241550s:\n kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57\n kasan_save_track+0x1c/0x70 mm/kasan/common.c:78\n kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570\n poison_kmalloc_redzone mm/kasan/common.c:398 [inline]\n __kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415\n kasan_kmalloc include/linux/kasan.h:263 [inline]\n __do_kmalloc_node mm/slub.c:5657 [inline]\n __kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663\n kmalloc_array_node_noprof include/linux/slab.h:1075 [inline]\n nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline]\n nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534\n local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324\n pci_call_probe drivers/pci/pci-driver.c:392 [inline]\n __pci_device_probe drivers/pci/pci-driver.c:417 [inline]\n pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451\n call_driver_probe drivers/base/dd.c:583 [inline]\n really_probe+0x29b/0xb70 drivers/base/dd.c:661\n __driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803\n driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833\n __driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159\n async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129\n process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x65c/0xe60 kernel/workqueue.c:3421\n kthread+0x41a/0x930 kernel/kthread.c:463\n ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nThe buggy address belongs to the object at ffff88800592a000\n which belongs to the cache kmalloc-2k of size 2048\nThe buggy address is located 244 bytes to the right of\n allocated 1152-byte region [ffff88800592a000, ffff88800592a480)\n\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928\nhead: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nanon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff)\npage_type: f5(slab)\nraw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001\nraw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000\nhead: 000fffffc0000040 ffff888001042000 00000\n---truncated---","Type":"Description","Title":"nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set"}]}}}