CVE-2026-43148 Overview
CVE-2026-43148 is a null pointer dereference vulnerability in the Linux kernel's PowerPC SMP (Symmetric Multi-Processing) subsystem. The flaw resides in the parse_thread_groups() function, where the return value of kcalloc() was not validated before being passed to of_property_read_u32_array(). When kcalloc() fails to allocate memory under pressure, the unchecked NULL pointer is dereferenced, triggering a kernel oops.
The issue affects PowerPC platforms parsing thread group properties from the device tree during SMP initialization. Maintainers have resolved the vulnerability by adding the missing return value check before further use.
Critical Impact
A failed memory allocation during PowerPC SMP initialization can trigger a kernel null pointer dereference, leading to denial of service on affected systems.
Affected Products
- Linux kernel on PowerPC architecture (mainline and stable branches prior to the referenced fixes)
- Distributions shipping unpatched Linux kernels with arch/powerpc/kernel/smp.c containing the unchecked kcalloc() call
- Stable kernel branches addressed by patches 1de31dba, 33c1c6d8, 8b221db0, 9b85c8f6, 9d0ca112, b265e53d, and ca46d209
Discovery Timeline
- 2026-05-06 - CVE-2026-43148 published to the National Vulnerability Database (NVD)
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43148
Vulnerability Analysis
The vulnerability is a null pointer dereference [CWE-476] in PowerPC SMP initialization code. The function parse_thread_groups() in arch/powerpc/kernel/smp.c allocates a buffer using kcalloc() to hold thread group data parsed from the firmware device tree. The original code passed this allocated pointer directly to of_property_read_u32_array() without verifying that the allocation succeeded.
When the kernel operates under memory pressure, kcalloc() may return NULL. The subsequent call to of_property_read_u32_array() then dereferences a NULL pointer while attempting to write the parsed u32 array, producing a kernel oops. On PowerPC SMP boot paths, this occurs during early CPU topology setup, which can render the system unbootable or unstable.
The EPSS score is 0.024% with a percentile of 6.957, reflecting low expected exploitation activity. The flaw is a reliability and robustness defect rather than a memory corruption primitive granting code execution.
Root Cause
The root cause is missing return-value validation after a dynamic memory allocation. The kcalloc() API can fail and return NULL, and callers must check this condition before using the returned pointer. The fix introduces an explicit NULL check immediately after kcalloc() and propagates an appropriate error code to the caller, preventing further use of an invalid pointer.
Attack Vector
This vulnerability is local and requires conditions in which kernel memory allocations fail during PowerPC SMP setup. An attacker with the ability to induce memory pressure on the host, or environments where allocation failures occur naturally during boot, can trigger the dereference. The result is a kernel crash leading to denial of service. There is no public proof-of-concept and no indication of exploitation in the wild.
No verified exploit code is available for this CVE. See the upstream commits referenced below for the precise patch diffs and call sites.
Detection Methods for CVE-2026-43148
Indicators of Compromise
- Kernel oops or panic messages referencing parse_thread_groups or of_property_read_u32_array in dmesg or serial console logs on PowerPC hosts
- Boot failures or SMP initialization errors on PowerPC systems running unpatched kernels
- Repeated unexpected reboots correlated with high memory pressure during early boot
Detection Strategies
- Inventory PowerPC Linux systems and compare running kernel versions against the stable branches that received the listed fixes
- Use distribution package management tools (e.g., rpm -q kernel, dpkg -l linux-image-*) to identify hosts missing the corresponding security update
- Review kernel crash dumps and kdump archives for stack traces involving parse_thread_groups()
Monitoring Recommendations
- Forward kernel logs from PowerPC hosts to a centralized logging or SIEM platform and alert on oops signatures referencing the affected function
- Track patch deployment status across PowerPC infrastructure with vulnerability management tooling tied to CVE identifiers
- Monitor host availability metrics for unexpected reboots on PowerPC SMP systems
How to Mitigate CVE-2026-43148
Immediate Actions Required
- Update affected Linux kernels to a stable release containing one of the upstream fixes referenced by commit hashes 1de31dba, 33c1c6d8, 8b221db0, 9b85c8f6, 9d0ca112, b265e53d, or ca46d209
- Prioritize patching on PowerPC hosts running production workloads where availability is critical
- Validate kernel updates in a non-production environment before broad rollout to confirm SMP initialization succeeds
Patch Information
The Linux kernel maintainers have merged fixes adding a NULL check on the kcalloc() return value in parse_thread_groups(). The fix has been backported across multiple stable branches. Refer to the upstream commits: Kernel Patch 1de31dba, Kernel Patch 33c1c6d8, Kernel Patch 8b221db0, Kernel Patch 9b85c8f6, Kernel Patch 9d0ca112, Kernel Patch b265e53d, and Kernel Patch ca46d209.
Workarounds
- No supported workaround exists; applying the upstream patch is the recommended remediation
- Reduce the likelihood of allocation failures during boot by ensuring sufficient memory headroom on PowerPC hosts
- Restrict local access on unpatched systems to limit an attacker's ability to induce memory pressure
# Verify running kernel version on a PowerPC host
uname -r
# Example: update kernel on RHEL/CentOS-based PowerPC system
sudo dnf update kernel
# Example: update kernel on Debian/Ubuntu-based PowerPC system
sudo apt update && sudo apt install --only-upgrade linux-image-$(uname -r | sed 's/.*-//')
# Reboot to load the patched kernel
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
