{ "threat_severity" : "Moderate", "public_date" : "2026-05-06T00:00:00Z", "bugzilla" : { "description" : "kernel: vhost: move vdpa group bound check to vhost_vdpa", "id" : "2467084", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2467084" }, "cvss3" : { "cvss3_base_score" : "7.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H", "status" : "draft" }, "cwe" : "CWE-787", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nvhost: move vdpa group bound check to vhost_vdpa\nRemove duplication by consolidating these here. This reduces the\nposibility of a parent driver missing them.\nWhile we're at it, fix a bug in vdpa_sim where a valid ASID can be\nassigned to a group equal to ngroups, causing an out of bound write.", "A flaw was found in the Linux kernel's vhost subsystem. Specifically, a bug in the `vdpa_sim` component allows for an out-of-bounds write when a valid ASID (Address Space ID) is incorrectly assigned to a vDPA (virtio Data Path Acceleration) group. This could lead to memory corruption, potentially resulting in a denial of service or other system instability." ], "statement" : "vhost vdpa did not centrally validate the group index before calling the driver set_group_asid operation. In vdpa_sim, a group value equal to ngroups could pass the old driver check and cause an out of bounds write when assigning a valid ASID to that group. For the CVSS the PR:L value is used because an attacker needs local access to the vhost vdpa or vdpa device interface, commonly through a VM or virtualization management process, but does not necessarily need kernel privileges once that interface is exposed. The issue is not network reachable by itself and is triggered through a local ioctl control path. Impact is at least local denial of service via kernel memory corruption and in the worst case may allow confidentiality or integrity impact due to an out of bounds write primitive.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-43248\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43248\nhttps://lore.kernel.org/linux-cve-announce/2026050602-CVE-2026-43248-7506@gregkh/T" ], "name" : "CVE-2026-43248", "mitigation" : { "value" : "To mitigate this issue, prevent module vdpa from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.", "lang" : "en:us" }, "csaw" : false }