{"api_version":"1","generated_at":"2026-05-13T18:09:05+00:00","cve":"CVE-2026-43489","urls":{"html":"https://cve.report/CVE-2026-43489","api":"https://cve.report/api/cve/CVE-2026-43489.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43489","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43489"},"summary":{"title":"liveupdate: luo_file: remember retrieve() status","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nliveupdate: luo_file: remember retrieve() status\n\nLUO keeps track of successful retrieve attempts on a LUO file.  It does so\nto avoid multiple retrievals of the same file.  Multiple retrievals cause\nproblems because once the file is retrieved, the serialized data\nstructures are likely freed and the file is likely in a very different\nstate from what the code expects.\n\nThe retrieve boolean in struct luo_file keeps track of this, and is passed\nto the finish callback so it knows what work was already done and what it\nhas left to do.\n\nAll this works well when retrieve succeeds.  When it fails,\nluo_retrieve_file() returns the error immediately, without ever storing\nanywhere that a retrieve was attempted or what its error code was.  This\nresults in an errored LIVEUPDATE_SESSION_RETRIEVE_FD ioctl to userspace,\nbut nothing prevents it from trying this again.\n\nThe retry is problematic for much of the same reasons listed above.  The\nfile is likely in a very different state than what the retrieve logic\nnormally expects, and it might even have freed some serialization data\nstructures.  Attempting to access them or free them again is going to\nbreak things.\n\nFor example, if memfd managed to restore 8 of its 10 folios, but fails on\nthe 9th, a subsequent retrieve attempt will try to call\nkho_restore_folio() on the first folio again, and that will fail with a\nwarning since it is an invalid operation.\n\nApart from the retry, finish() also breaks.  Since on failure the\nretrieved bool in luo_file is never touched, the finish() call on session\nclose will tell the file handler that retrieve was never attempted, and it\nwill try to access or free the data structures that might not exist, much\nin the same way as the retry attempt.\n\nThere is no sane way of attempting the retrieve again.  Remember the error\nretrieve returned and directly return it on a retry.  Also pass this\nstatus code to finish() so it can make the right decision on the work it\nneeds to do.\n\nThis is done by changing the bool to an integer.  A value of 0 means\nretrieve was never attempted, a positive value means it succeeded, and a\nnegative value means it failed and the error code is the value.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-13 16:16:52","updated_at":"2026-05-13 16:16:52"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/1d3ad69484dc1cc53be62d2554e7ef038a627af9","name":"https://git.kernel.org/stable/c/1d3ad69484dc1cc53be62d2554e7ef038a627af9","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f85b1c6af5bc3872f994df0a5688c1162de07a62","name":"https://git.kernel.org/stable/c/f85b1c6af5bc3872f994df0a5688c1162de07a62","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43489","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43489","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7c722a7f44e0c1f9714084152226bc7bd644b7e3 1d3ad69484dc1cc53be62d2554e7ef038a627af9 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7c722a7f44e0c1f9714084152226bc7bd644b7e3 f85b1c6af5bc3872f994df0a5688c1162de07a62 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.19","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.9 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["include/linux/liveupdate.h","kernel/liveupdate/luo_file.c","mm/memfd_luo.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"1d3ad69484dc1cc53be62d2554e7ef038a627af9","status":"affected","version":"7c722a7f44e0c1f9714084152226bc7bd644b7e3","versionType":"git"},{"lessThan":"f85b1c6af5bc3872f994df0a5688c1162de07a62","status":"affected","version":"7c722a7f44e0c1f9714084152226bc7bd644b7e3","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["include/linux/liveupdate.h","kernel/liveupdate/luo_file.c","mm/memfd_luo.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.19"},{"lessThan":"6.19","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.9","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.9","versionStartIncluding":"6.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.19","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nliveupdate: luo_file: remember retrieve() status\n\nLUO keeps track of successful retrieve attempts on a LUO file.  It does so\nto avoid multiple retrievals of the same file.  Multiple retrievals cause\nproblems because once the file is retrieved, the serialized data\nstructures are likely freed and the file is likely in a very different\nstate from what the code expects.\n\nThe retrieve boolean in struct luo_file keeps track of this, and is passed\nto the finish callback so it knows what work was already done and what it\nhas left to do.\n\nAll this works well when retrieve succeeds.  When it fails,\nluo_retrieve_file() returns the error immediately, without ever storing\nanywhere that a retrieve was attempted or what its error code was.  This\nresults in an errored LIVEUPDATE_SESSION_RETRIEVE_FD ioctl to userspace,\nbut nothing prevents it from trying this again.\n\nThe retry is problematic for much of the same reasons listed above.  The\nfile is likely in a very different state than what the retrieve logic\nnormally expects, and it might even have freed some serialization data\nstructures.  Attempting to access them or free them again is going to\nbreak things.\n\nFor example, if memfd managed to restore 8 of its 10 folios, but fails on\nthe 9th, a subsequent retrieve attempt will try to call\nkho_restore_folio() on the first folio again, and that will fail with a\nwarning since it is an invalid operation.\n\nApart from the retry, finish() also breaks.  Since on failure the\nretrieved bool in luo_file is never touched, the finish() call on session\nclose will tell the file handler that retrieve was never attempted, and it\nwill try to access or free the data structures that might not exist, much\nin the same way as the retry attempt.\n\nThere is no sane way of attempting the retrieve again.  Remember the error\nretrieve returned and directly return it on a retry.  Also pass this\nstatus code to finish() so it can make the right decision on the work it\nneeds to do.\n\nThis is done by changing the bool to an integer.  A value of 0 means\nretrieve was never attempted, a positive value means it succeeded, and a\nnegative value means it failed and the error code is the value."}],"providerMetadata":{"dateUpdated":"2026-05-13T15:08:33.810Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/1d3ad69484dc1cc53be62d2554e7ef038a627af9"},{"url":"https://git.kernel.org/stable/c/f85b1c6af5bc3872f994df0a5688c1162de07a62"}],"title":"liveupdate: luo_file: remember retrieve() status","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43489","datePublished":"2026-05-13T15:08:33.810Z","dateReserved":"2026-05-01T14:12:56.012Z","dateUpdated":"2026-05-13T15:08:33.810Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-13 16:16:52","lastModifiedDate":"2026-05-13 16:16:52","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43489","Ordinal":"1","Title":"liveupdate: luo_file: remember retrieve() status","CVE":"CVE-2026-43489","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43489","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nliveupdate: luo_file: remember retrieve() status\n\nLUO keeps track of successful retrieve attempts on a LUO file.  It does so\nto avoid multiple retrievals of the same file.  Multiple retrievals cause\nproblems because once the file is retrieved, the serialized data\nstructures are likely freed and the file is likely in a very different\nstate from what the code expects.\n\nThe retrieve boolean in struct luo_file keeps track of this, and is passed\nto the finish callback so it knows what work was already done and what it\nhas left to do.\n\nAll this works well when retrieve succeeds.  When it fails,\nluo_retrieve_file() returns the error immediately, without ever storing\nanywhere that a retrieve was attempted or what its error code was.  This\nresults in an errored LIVEUPDATE_SESSION_RETRIEVE_FD ioctl to userspace,\nbut nothing prevents it from trying this again.\n\nThe retry is problematic for much of the same reasons listed above.  The\nfile is likely in a very different state than what the retrieve logic\nnormally expects, and it might even have freed some serialization data\nstructures.  Attempting to access them or free them again is going to\nbreak things.\n\nFor example, if memfd managed to restore 8 of its 10 folios, but fails on\nthe 9th, a subsequent retrieve attempt will try to call\nkho_restore_folio() on the first folio again, and that will fail with a\nwarning since it is an invalid operation.\n\nApart from the retry, finish() also breaks.  Since on failure the\nretrieved bool in luo_file is never touched, the finish() call on session\nclose will tell the file handler that retrieve was never attempted, and it\nwill try to access or free the data structures that might not exist, much\nin the same way as the retry attempt.\n\nThere is no sane way of attempting the retrieve again.  Remember the error\nretrieve returned and directly return it on a retry.  Also pass this\nstatus code to finish() so it can make the right decision on the work it\nneeds to do.\n\nThis is done by changing the bool to an integer.  A value of 0 means\nretrieve was never attempted, a positive value means it succeeded, and a\nnegative value means it failed and the error code is the value.","Type":"Description","Title":"liveupdate: luo_file: remember retrieve() status"}]}}}