CVE-2026-43079 Overview
CVE-2026-43079 is a Linux kernel vulnerability in the Intel uncore performance monitoring subsystem (perf/x86/intel/uncore). The flaw resides in uncore_pci_pmu_register() within uncore.c, where the discovery table continues to be parsed even when all CPUs in the associated die are offline. This behavior can produce an array overflow at the pmu->boxes[die] = box assignment. The condition is triggered when Non-Uniform Memory Access (NUMA) is disabled and the system boots with fewer CPUs than the number of CPUs in die 0, generating a kernel WARNING and potentially causing additional instability.
Critical Impact
An out-of-bounds array write in the kernel's Intel uncore PMU registration path can trigger kernel warnings and lead to memory corruption on affected x86 systems with offline dies.
Affected Products
- Linux kernel builds containing the Intel uncore PMU discovery table parsing logic in arch/x86/events/intel/uncore.c
- x86 systems running kernels with NUMA disabled where the booted CPU count is lower than the CPU count of die 0
- Stable Linux kernel branches addressed by patches 6cfc187, 7a2cb02, 7b568e9, cfab2c8, and f34feda
Discovery Timeline
- 2026-05-06 - CVE-2026-43079 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43079
Vulnerability Analysis
The vulnerability exists in the Intel uncore Performance Monitoring Unit (PMU) initialization code. During boot, the kernel parses an uncore discovery table to register PMU boxes for each die on the system. The registration routine uncore_pci_pmu_register() writes a pointer into the pmu->boxes[die] array indexed by the die identifier reported by the discovery table.
When NUMA is disabled and the system has fewer online CPUs than die 0 expects, the discovery table still references dies that have no online CPUs backing them. The kernel proceeds with registration regardless of the offline state. Indexing pmu->boxes[die] with a die value that exceeds the allocated array bounds produces an out-of-bounds write, manifested by the warning at uncore.c:1157.
Root Cause
The root cause is missing validation of die online status before parsing the discovery table entries. The original code path assumes all dies enumerated by hardware discovery have at least one online CPU. Without that check, the index used for pmu->boxes[die] can fall outside the allocated boxes array. This pattern is classified as an Out-of-Bounds Write [CWE-787] in kernel memory.
Attack Vector
Exploitation requires specific boot-time conditions: NUMA disabled and a CPU count below the die 0 CPU count. The trigger is local and dependent on hardware topology and kernel boot parameters rather than network input. The vulnerability primarily affects system stability and integrity rather than presenting a remote attack surface. The fix introduced across the referenced patches skips discovery table entries when all CPUs in the associated die are offline, preventing the array overflow.
No verified public exploit code is available. The advisory text and upstream patches describe the WARNING and fix without releasing proof-of-concept exploitation code. Refer to the upstream commits for the precise diff.
Detection Methods for CVE-2026-43079
Indicators of Compromise
- Kernel ring buffer entries containing WARNING: CPU: <n> PID: <n> at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore]
- Boot logs showing the intel_uncore module loading on systems where NUMA is disabled and online CPU count is below die 0 capacity
- Unexpected kernel taint flags after the intel_uncore module initializes
Detection Strategies
- Inspect dmesg and /var/log/kern.log for the specific WARNING signature referencing uncore_pci_pmu_register
- Audit kernel command lines and BIOS settings for NUMA-disabled configurations on multi-die Intel platforms
- Compare running kernel versions against the patched stable branches referenced by upstream commits 6cfc187, 7a2cb02, 7b568e9, cfab2c8, and f34feda
Monitoring Recommendations
- Forward kernel logs to a centralized logging or SIEM platform and alert on uncore_pci_pmu_register warning patterns
- Track kernel taint state across the fleet via configuration management to identify hosts entering a degraded state after boot
- Maintain an inventory of Intel multi-die hosts with NUMA-disabled BIOS profiles and prioritize them for kernel updates
How to Mitigate CVE-2026-43079
Immediate Actions Required
- Update affected systems to a Linux kernel release that incorporates the upstream fix from one of the referenced stable commits
- On hosts that cannot be patched immediately, enable NUMA in BIOS or boot all CPUs of die 0 to avoid the triggering condition
- Verify after reboot that the uncore_pci_pmu_register warning no longer appears in dmesg
Patch Information
The issue is resolved in the upstream Linux kernel by skipping discovery table entries for dies whose CPUs are all offline. The fix is distributed across multiple stable branches in the following commits: Kernel Patch Update 6cfc187, Kernel Patch Update 7a2cb02, Kernel Patch Update 7b568e9, Kernel Patch Update cfab2c8, and Kernel Patch Update f34feda. Apply the commit corresponding to your stable branch.
Workarounds
- Re-enable NUMA in firmware settings to prevent the boot condition that exposes the bug
- Avoid booting with maxcpus= or nr_cpus= values lower than the die 0 CPU count on multi-die Intel hardware
- Blacklist or unload the intel_uncore module on systems that do not require uncore PMU telemetry until the kernel is patched
# Configuration example: prevent intel_uncore from loading until patched
echo 'blacklist intel_uncore' | sudo tee /etc/modprobe.d/disable-intel-uncore.conf
sudo update-initramfs -u
# Verify after reboot
lsmod | grep intel_uncore
dmesg | grep -i uncore_pci_pmu_register
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
