The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-43147

CVE-2026-43147: Linux Kernel SR-IOV DOS Vulnerability

CVE-2026-43147 is a denial of service vulnerability in the Linux kernel's SR-IOV implementation that causes deadlocks during PCI device removal. This article covers the technical details, affected systems, and mitigation.

Published: May 7, 2026

CVE-2026-43147 Overview

CVE-2026-43147 is a Linux kernel vulnerability in the PCI/IOV subsystem that causes a deadlock when enabling or disabling Single Root I/O Virtualization (SR-IOV). The issue stems from a previous commit (05703271c3cd) that added pci_rescan_remove_lock locking around SR-IOV enable/disable operations. The lock is taken recursively when sriov_del_vfs() runs as part of pci_stop_and_remove_bus_device(), producing a self-deadlock. The fix reverts the offending commit, restoring kernel availability at the cost of reintroducing the original race the commit attempted to address. A follow-on patch is planned to provide a complete fix.

Critical Impact

Local users with permission to write to PCI sysfs entries can trigger a kernel deadlock by disabling Virtual Functions (VFs) and removing the Physical Function (PF) device, leading to denial of service on systems using SR-IOV-capable devices such as Mellanox mlx5 adapters.

Affected Products

  • Linux kernel versions containing commit 05703271c3cd ("PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV")
  • Systems with SR-IOV-capable PCIe devices, including Mellanox mlx5 network adapters
  • Stable kernel branches referenced by patches 0de341b, 2fa119c, 40f6768, 5867778, 6392652, 83651d3, d47f27e, and f61cdd7

Discovery Timeline

  • 2026-05-06 - CVE-2026-43147 published to NVD
  • 2026-05-06 - Last updated in NVD database

Technical Details for CVE-2026-43147

Vulnerability Analysis

The defect lives in the Linux kernel PCI SR-IOV management path. When user space writes to /sys/bus/pci/devices/<pf>/remove, the kernel calls pci_stop_and_remove_bus_device_locked(), which acquires pci_rescan_remove_lock. The teardown chain then invokes the device driver's remove handler, which for mlx5_core calls mlx5_sriov_disable() and ultimately sriov_disable(). The cited commit added a second acquisition of the same pci_rescan_remove_lock inside sriov_disable(), creating a recursive lock attempt on a non-recursive mutex. The kernel's lockdep subsystem detects this as a deadlock condition and the calling thread blocks indefinitely.

Root Cause

The root cause is a lock ordering and reentrancy violation. Commit 05703271c3cd introduced pci_rescan_remove_lock acquisition in sriov_disable() to serialize SR-IOV state changes. However, sriov_del_vfs() is reachable from device removal paths that already hold the same lock. Because pci_rescan_remove_lock is implemented as a non-recursive mutex, the second acquisition by the same task triggers a self-deadlock rather than an immediate panic.

Attack Vector

A local user or process with write access to PCI sysfs entries can trigger the deadlock by first writing a non-zero value to sriov_numvfs and then writing 1 to the remove attribute of the same Physical Function. The deadlock hangs the writing task and any subsequent operation that requires pci_rescan_remove_lock, producing a denial-of-service condition. The trace excerpt published with the CVE shows the deadlock observed on a mlx5 device through the call path remove_store → pci_stop_and_remove_bus_device_locked → pci_device_remove → mlx5_sriov_disable → sriov_disable.

No verified public exploit code is available. The vulnerability is described in the upstream kernel commits referenced in the NVD entry. See the Kernel Commit 0de341b and Kernel Commit f61cdd7 for the revert and follow-on fixes.

Detection Methods for CVE-2026-43147

Indicators of Compromise

  • Kernel log entries containing print_deadlock_bug and pci_rescan_remove_lock with stack frames including sriov_disable+0x34/0x140 and pci_stop_and_remove_bus_device_locked.
  • Hung task warnings (INFO: task <name>:<pid> blocked for more than X seconds) referencing processes performing writes to PCI sriov_numvfs or remove sysfs entries.
  • System administrator processes stuck in D state after issuing SR-IOV teardown commands on mlx5 or other SR-IOV-capable devices.

Detection Strategies

  • Audit kernel ring buffer (dmesg) and persistent journal (journalctl -k) for lockdep deadlock reports referencing pci_rescan_remove_lock.
  • Monitor for shell or automation scripts writing to /sys/bus/pci/devices/*/sriov_numvfs followed by writes to /sys/bus/pci/devices/*/remove on the same Physical Function.
  • Track running kernel versions across the fleet against the list of stable branches that received the revert commit.

Monitoring Recommendations

  • Enable CONFIG_PROVE_LOCKING in test kernels to surface lockdep deadlock reports during pre-production validation.
  • Forward kernel logs to a centralized logging or SIEM platform and alert on the strings print_deadlock_bug, pci_rescan_remove_lock, and sriov_disable.
  • Inventory hosts with SR-IOV enabled by polling lspci -vv and /sys/bus/pci/devices/*/sriov_numvfs so patch coverage can be measured.

How to Mitigate CVE-2026-43147

Immediate Actions Required

  • Update the Linux kernel to a stable release that includes the revert of commit 05703271c3cd (see referenced commits 0de341b, 2fa119c, 40f6768, 5867778, 6392652, 83651d3, d47f27e, f61cdd7).
  • Restrict write access to /sys/bus/pci/devices/*/sriov_numvfs and /sys/bus/pci/devices/*/remove to root only and audit any automation that interacts with these paths.
  • Avoid issuing PF remove operations while VFs are still active until the patched kernel is deployed.

Patch Information

The upstream fix reverts commit 05703271c3cd. The revert is propagated across stable branches via the kernel.org commits 0de341b2365bad430aade0853fe09c2cbe468f59, 2fa119c0e5e528453ebae9e70740e8d2d8c0ed5a, 40f67686a5002c0c322fac918406bbc8d9c2ec2f, 58677783c89681871077f50a7042b0c6380c4fd8, 639265296fe6ee21b6f00e00ee2bab65f3b07252, 83651d37474c762920e345a3a0828f975ca4d732, d47f27e145f8bd13f3c230da5e3af29225b4a2f7, and f61cdd7e9b67bb8961b0a81bf294b78343e5db05. The kernel maintainers note this revert restores the original race condition the cited commit tried to solve and that a follow-on fix will be provided.

Workarounds

  • Configure SR-IOV VFs at boot time and avoid runtime changes to sriov_numvfs on production hosts until patched.
  • Disable VFs (echo 0 > sriov_numvfs) and confirm completion before removing the PF device, rather than relying on driver-initiated VF teardown during remove.
  • Constrain administrative tooling to serialize PCI hot-remove operations and prevent concurrent SR-IOV reconfiguration on the same device.
bash
# Verify running kernel and check whether the revert is applied
uname -r
git log --oneline | grep -E '05703271c3cd|Revert.*PCI/IOV'

# Safely tear down SR-IOV before removing a PF (workaround)
PF=0000:01:00.0
echo 0 | sudo tee /sys/bus/pci/devices/${PF}/sriov_numvfs
sudo udevadm settle
sudo sh -c "echo 1 > /sys/bus/pci/devices/${PF}/remove"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechLinux
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.02%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Commit 0de341b
  • Kernel Commit 2fa119c
  • Kernel Commit 40f6768
  • Kernel Commit 5867778
  • Kernel Commit 6392652
  • Kernel Commit 83651d3
  • Kernel Commit d47f27e
  • Kernel Commit f61cdd7
  • Related CVEs
  • CVE-2026-43060: Linux Kernel Netfilter DoS Vulnerability
  • CVE-2026-43251: Linux Kernel HID Prodikeys DOS Vulnerability
  • CVE-2026-43247: Linux Kernel Media Driver DoS Vulnerability
  • CVE-2026-43099: Linux Kernel ICMP DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English