What is CVE-2026-43071?

CVE-2026-43071 is a Critical severity Linux kernel vulnerability with a CVSS score of 9.1 out of 10, classified as a Out-of-bounds Read flaw (CWE-125), affecting Linux kernel versions from 3.10.55 onward and patched in 6.1.175, 6.6.136, 6.12.83 and others. CVE-2026-43071 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-43071?

CVE-2026-43071 has a CVSS score of 9.1 out of 10, rated Critical severity. The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H.

Is there a patch available for CVE-2026-43071?

Yes, CVE-2026-43071 has been patched. Fixed versions include 6.1.175, 6.6.136, 6.12.83 and others. If you are running Linux kernel 3.10.55 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-43071 actively exploited?

CVE-2026-43071 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is Out-of-bounds Read (CWE-125)?

The product reads data past the end or before the beginning of the intended buffer. See MITRE CWE for full details: https://cwe.mitre.org/data/definitions/125.html

CVE-2026-43071

Critical

In the Linux kernel, the following vulnerability has been resolved: dcache: Limit the minimal number of bucket to two There is an OOB read problem on dentry_hashtable when user sets 'dhash_entries=1': BUG: unable to handle page fault for address: ffff888b30b774b0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: Oops: 0000 [#1] SMP PTI RIP: 0010:__d_lookup+0x56/0x120 Call Trace: d_lookup.cold+0x16/0x5d lookup_dcache+0x27/0xf0 lookup_one_qstr_excl+0x2a/0x180 start_dirop+0x55/0xa0 simple_start_creating+0x8d/0xa0 debugfs_start_creating+0x8c/0x180 debugfs_create_dir+0x1d/0x1c0 pinctrl_init+0x6d/0x140 do_one_initcall+0x6d/0x3d0 kernel_init_freeable+0x39f/0x460 kernel_init+0x2a/0x260 There will be only one bucket in dentry_hashtable when dhash_entries is set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then, following process will access more than one buckets(which memory region is not allocated) in dentry_hashtable: d_lookup b = d_hash(hash) dentry_hashtable + ((u32)hashlen >> d_hash_shift) // The C standard defines the behavior of right shift amounts // exceeding the bit width of the operand as undefined. The // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen', // so 'b' will point to an unallocated memory region. hlist_bl_for_each_entry_rcu(b) hlist_bl_first_rcu(head) h->first // read OOB! Fix it by limiting the minimal number of dentry_hashtable bucket to two, so that 'd_hash_shift' won't exceeds the bit width of type u32.

Package Linux Kernel

Published 2026-05-05

Last modified 2026-06-01

CVSS version 3.1

Patch available

Yes

CVSS 3.1 score

9.1

out of 10

Critical

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Weakness type

CWE-125

CVE-2026-43071 is a Out-of-bounds Read vulnerability

What is Out-of-bounds Read?

The product reads data past the end or before the beginning of the intended buffer. Learn more on MITRE CWE

Affected versions

Linux kernel versions 3.10.55, 3.12.29, 3.14.19, 3.16.3, 3.17 and later are affected. Fixed in 6.1.175, 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0.1, 7.1-rc1 and their respective stable series.

Affected from

≥ 3.10.55 ≥ 3.12.29 ≥ 3.14.19 ≥ 3.16.3 ≥ 3.17

Fixed in

✓ 6.1.175 6.1.x ✓ 6.6.136 6.6.x ✓ 6.12.83 6.12.x ✓ 6.18.24 6.18.x ✓ 6.19.14 6.19.x ✓ 7.0.1 7.0.x ✓ 7.1-rc1

References

The following references provide additional information about CVE-2026-43071 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/277cedabb0ab86baae83fa58218be13c6d3e5526
Patch
Kernel patch commit
https://git.kernel.org/stable/c/426ef05e82ee52c8d0e95fc0808b7383d8352d73
Patch
Kernel patch commit
https://git.kernel.org/stable/c/45b06bb5ea96f75ad81d7ef446f832ea6b0026fe
Patch

7 patch commits total View all on NVD

Details

CVE ID CVE-2026-43071

Severity Critical

CVSS score 9.1 / 10

CVSS version 3.1

Published 2026-05-05

Modified 2026-06-01

KEV No

Patch

Yes

Package linux

Frequently asked questions

What is CVE-2026-43071?

CVE-2026-43071 is a Critical severity Linux kernel vulnerability with a CVSS score of 9.1 out of 10 , classified as an Out-of-bounds Read flaw (CWE-125) . It affects Linux kernel versions from 3.10.55 onward and has been patched in 6.1.175, 6.6.136, 6.12.83 and others. CVE-2026-43071 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2026-43071?

CVE-2026-43071 has a CVSS score of 9.1 out of 10, rated Critical severity (CVSS 3.1). The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H.
Is there a patch available for CVE-2026-43071?

Yes — CVE-2026-43071 has been patched. Fixed versions include 6.1.175, 6.6.136, 6.12.83 and others. If you are running Linux kernel 3.10.55 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-43071 actively exploited?

No — CVE-2026-43071 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
What is Out-of-bounds Read (CWE-125)?

The product reads data past the end or before the beginning of the intended buffer. View CWE-125 on MITRE CWE →