CVE-2026-43157 Overview
CVE-2026-43157 is a memory leak vulnerability in the Linux kernel's octeontx2-af driver, specifically in the Common Gigabit Ethernet (CGX) component. The RX/TX flow-control bitmaps rx_fc_pfvf_bmap and tx_fc_pfvf_bmap are allocated by cgx_lmac_init() but never released in cgx_lmac_exit(). Each driver unbind and rebind cycle leaks the previously allocated bitmaps, which kmemleak reports through the rvu_alloc_bitmap and cgx_probe call paths. The fix frees both bitmaps during teardown, restoring proper resource management on Marvell OcteonTX2 networking hardware.
Critical Impact
Repeated driver unbind/rebind operations leak kernel memory in the OcteonTX2 admin function driver, degrading system stability over time on affected platforms.
Affected Products
- Linux kernel builds containing the octeontx2-af driver
- Systems using Marvell OcteonTX2 CGX network interfaces
- Distributions shipping kernels prior to the upstream stable backports referenced in this advisory
Discovery Timeline
- 2026-05-06 - CVE-2026-43157 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43157
Vulnerability Analysis
The vulnerability resides in the OcteonTX2 admin function (octeontx2-af) driver that manages CGX logical MAC (LMAC) interfaces. During driver initialization, cgx_lmac_init() allocates two bitmaps used to track per-physical-function and per-virtual-function flow-control state for receive and transmit paths. These allocations occur via rvu_alloc_bitmap() during cgx_probe().
The corresponding teardown routine, cgx_lmac_exit(), omits the matching free operations. As a result, every unbind of the driver leaves the bitmap memory allocated, and every subsequent rebind allocates new bitmaps without reclaiming the previous ones. The kernel's kmemleak tool flags the orphaned 16-byte allocations.
The upstream patch adds explicit deallocation of rx_fc_pfvf_bmap and tx_fc_pfvf_bmap in the exit path, balancing the allocation lifecycle.
Root Cause
The root cause is an incomplete teardown sequence in the driver lifecycle. Resources acquired in cgx_lmac_init() lacked symmetric release in cgx_lmac_exit(), violating the allocate/free pairing expected by the kernel memory model. This is a classic resource leak introduced when allocation logic was added without updating the exit handler.
Attack Vector
Triggering the leak requires the ability to unbind and rebind the octeontx2-af driver, which is restricted to privileged users with root access on the local system. The condition is not remotely exploitable and does not provide code execution. Repeated cycles gradually consume kernel memory, which can contribute to resource exhaustion over long uptimes on systems where driver rebinding occurs during maintenance or automated provisioning.
The vulnerability mechanism involves missing kfree() calls for bitmap structures previously returned by rvu_alloc_bitmap(). Refer to the upstream patches at the Linux Kernel Stable Tree for the exact code change.
Detection Methods for CVE-2026-43157
Indicators of Compromise
- kmemleak reports referencing rvu_alloc_bitmap and cgx_probe in the unreferenced object backtrace
- Growth in kernel slab usage correlated with repeated octeontx2-af driver bind/unbind events
- Dmesg entries showing successful CGX LMAC initialization without matching cleanup messages on unbind
Detection Strategies
- Enable CONFIG_DEBUG_KMEMLEAK on test systems and inspect /sys/kernel/debug/kmemleak after exercising driver rebind cycles
- Compare installed kernel package versions against vendor advisories listing the backported fix commits
- Audit configuration management workflows that may unbind and rebind network drivers in production
Monitoring Recommendations
- Track kernel MemAvailable and slab allocator metrics on hosts running OcteonTX2 hardware
- Alert on unexpected octeontx2-af driver bind operations through audit subsystem rules
- Include kernel package versions in asset inventory to identify hosts pending the security update
How to Mitigate CVE-2026-43157
Immediate Actions Required
- Apply the upstream Linux kernel update that includes the cgx_lmac_exit() bitmap free fix
- Inventory systems running Marvell OcteonTX2 networking hardware and prioritize them for patching
- Restrict privileged access to driver bind/unbind interfaces under /sys/bus/pci/drivers/octeontx2-af
Patch Information
The fix is available across multiple stable branches via the upstream commits referenced in the Linux Kernel Stable Tree. Distributions including Red Hat, SUSE, Ubuntu, and Debian backport these stable patches into their supported kernel streams. Apply the kernel update provided by your distribution and reboot affected hosts to load the patched driver.
Workarounds
- Avoid repeated unbind/rebind of the octeontx2-af driver until the kernel is patched
- Schedule planned reboots on long-running hosts that have already exercised driver rebinding to reclaim leaked memory
- Limit CAP_SYS_ADMIN and root access to operators who require driver lifecycle control
# Verify running kernel and check for the octeontx2-af module
uname -r
lsmod | grep octeontx2_af
# Inspect kmemleak output after suspected leak conditions
echo scan > /sys/kernel/debug/kmemleak
cat /sys/kernel/debug/kmemleak
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
