{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-06T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: APEI/GHES: ensure that won't go past CPER allocated record",
    "id" : "2467220",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2467220"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-787",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nAPEI/GHES: ensure that won't go past CPER allocated record\nThe logic at ghes_new() prevents allocating too large records, by\nchecking if they're bigger than GHES_ESTATUS_MAX_SIZE (currently, 64KB).\nYet, the allocation is done with the actual number of pages from the\nCPER bios table location, which can be smaller.\nYet, a bad firmware could send data with a different size, which might\nbe bigger than the allocated memory, causing an OOPS:\nUnable to handle kernel paging request at virtual address fff00000f9b40000\nMem abort info:\nESR = 0x0000000096000007\nEC = 0x25: DABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nFSC = 0x07: level 3 translation fault\nData abort info:\nISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\nCM = 0, WnR = 0, TnD = 0, TagAccess = 0\nGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nswapper pgtable: 4k pages, 52-bit VAs, pgdp=000000008ba16000\n[fff00000f9b40000] pgd=180000013ffff403, p4d=180000013fffe403, pud=180000013f85b403, pmd=180000013f68d403, pte=0000000000000000\nInternal error: Oops: 0000000096000007 [#1]  SMP\nModules linked in:\nCPU: 0 UID: 0 PID: 303 Comm: kworker/0:1 Not tainted 6.19.0-rc1-00002-gda407d200220 #34 PREEMPT\nHardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022\nWorkqueue: kacpi_notify acpi_os_execute_deferred\npstate: 214020c5 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\npc : hex_dump_to_buffer+0x30c/0x4a0\nlr : hex_dump_to_buffer+0x328/0x4a0\nsp : ffff800080e13880\nx29: ffff800080e13880 x28: ffffac9aba86f6a8 x27: 0000000000000083\nx26: fff00000f9b3fffc x25: 0000000000000004 x24: 0000000000000004\nx23: ffff800080e13905 x22: 0000000000000010 x21: 0000000000000083\nx20: 0000000000000001 x19: 0000000000000008 x18: 0000000000000010\nx17: 0000000000000001 x16: 00000007c7f20fec x15: 0000000000000020\nx14: 0000000000000008 x13: 0000000000081020 x12: 0000000000000008\nx11: ffff800080e13905 x10: ffff800080e13988 x9 : 0000000000000000\nx8 : 0000000000000000 x7 : 0000000000000001 x6 : 0000000000000020\nx5 : 0000000000000030 x4 : 00000000fffffffe x3 : 0000000000000000\nx2 : ffffac9aba78c1c8 x1 : ffffac9aba76d0a8 x0 : 0000000000000008\nCall trace:\nhex_dump_to_buffer+0x30c/0x4a0 (P)\nprint_hex_dump+0xac/0x170\ncper_estatus_print_section+0x90c/0x968\ncper_estatus_print+0xf0/0x158\n__ghes_print_estatus+0xa0/0x148\nghes_proc+0x1bc/0x220\nghes_notify_hed+0x5c/0xb8\nnotifier_call_chain+0x78/0x148\nblocking_notifier_call_chain+0x4c/0x80\nacpi_hed_notify+0x28/0x40\nacpi_ev_notify_dispatch+0x50/0x80\nacpi_os_execute_deferred+0x24/0x48\nprocess_one_work+0x15c/0x3b0\nworker_thread+0x2d0/0x400\nkthread+0x148/0x228\nret_from_fork+0x10/0x20\nCode: 6b14033f 540001ad a94707e2 f100029f (b8747b44)\n---[ end trace 0000000000000000 ]---\nPrevent that by taking the actual allocated are into account when\nchecking for CPER length.\n[ rjw: Subject tweaks ]", "A flaw was found in the Linux kernel's ACPI Platform Error Interface (APEI) Generic Hardware Error Source (GHES) subsystem. A malicious firmware could send error data that is larger than the memory allocated by the kernel. This out-of-bounds write can lead to a kernel panic, effectively causing a Denial of Service (DoS) on the affected system." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-43277\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43277\nhttps://lore.kernel.org/linux-cve-announce/2026050612-CVE-2026-43277-7db8@gregkh/T" ],
  "name" : "CVE-2026-43277",
  "csaw" : false
}