CVE-2026-43171 Overview
CVE-2026-43171 is a Linux kernel vulnerability in the EFI Common Platform Error Record (CPER) handling code. The flaw resides in cper_print_fw_err(), which fails to validate that the error record length is large enough to accommodate the supplied offset. When a malformed firmware error record presents an offset larger than the record itself, the subsequent length -= offset calculation underflows. The kernel then attempts to hex-dump a region far larger than intended.
Critical Impact
A bad firmware error record can cause the kernel to dump large memory regions, leak sensitive kernel memory contents to logs, or trigger a kernel OOPS when accessing unmapped pages.
Affected Products
- Linux kernel versions containing the vulnerable cper_print_fw_err() logic in the EFI/CPER subsystem
- Distributions that ship the affected drivers/firmware/efi/cper.c code path
- Systems that process firmware error records via ACPI/APEI on UEFI platforms
Discovery Timeline
- 2026-05-06 - CVE-2026-43171 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43171
Vulnerability Analysis
The Linux kernel parses firmware error records delivered by UEFI platforms through the CPER format. These records describe hardware faults reported by firmware and are printed to the kernel log. The function cper_print_fw_err() in the EFI/CPER subsystem walks each section, computes the remaining record length using the section offset, and then issues a hex dump of the section payload.
The defect is an integer underflow in size arithmetic [CWE-191]. The function performs length -= offset without first verifying that offset is less than or equal to length. Because length is an unsigned size value, an offset that exceeds the record length wraps the result to a very large positive number. The hex dump routine then walks far past the intended buffer.
The practical outcomes are threefold. The kernel spends excessive time iterating over hundreds of megabytes, producing a denial-of-service condition. Sensitive kernel memory adjacent to the record is written into the kernel ring buffer, creating an information disclosure path. If the runaway dump reaches an unmapped page, the kernel raises an OOPS.
Root Cause
The root cause is missing input validation on attacker- or firmware-controlled length and offset fields prior to performing pointer and size arithmetic. The fix adds a length check that rejects sections whose declared length is too small to contain the offset, preventing the underflow before any hex dump is issued.
Attack Vector
Exploitation requires the kernel to consume a malicious or corrupted CPER record. This typically arrives from platform firmware via ACPI/APEI, the EFI runtime, or persistent error storage. An attacker capable of influencing firmware error records, such as through a compromised BMC, malicious firmware update, or crafted persistent store entries, can trigger the underflow on the next record processing event.
No verified public exploit code is available. The vulnerability mechanics are documented in the upstream commits referenced below. See the Linux Kernel Commit 02de64a and the Linux Kernel Commit 0e09b52 for the source-level fix details.
Detection Methods for CVE-2026-43171
Indicators of Compromise
- Unusually large hex dumps in dmesg or /var/log/kern.log originating from the EFI/CPER subsystem.
- Kernel OOPS or panic messages referencing cper_print_fw_err or cper.c in the call stack.
- Sustained high CPU utilization in kernel context shortly after firmware error reporting events.
Detection Strategies
- Audit running kernel versions across the fleet and compare against the patched stable trees referenced in the upstream commits.
- Monitor kernel logs for repeated Firmware Error CPER entries followed by oversized binary output.
- Correlate ACPI/APEI error injection or hardware error events with subsequent kernel instability.
Monitoring Recommendations
- Forward kernel ring buffer events to a centralized log platform and alert on EFI/CPER messages exceeding normal size thresholds.
- Track kernel crash artifacts (kdump, pstore) for stack frames that include CPER print routines.
- Review BMC and firmware update logs for unauthorized changes that could influence error record content.
How to Mitigate CVE-2026-43171
Immediate Actions Required
- Apply the upstream stable kernel update that includes the section-length validation fix referenced in the linked commits.
- Rebuild and redeploy custom kernels that vendor drivers/firmware/efi/cper.c from affected versions.
- Restrict administrative access to firmware update channels and BMC interfaces to limit who can influence CPER content.
Patch Information
The fix adds a length check before invoking the hex dump in cper_print_fw_err(), rejecting records where the section length is smaller than the offset. Backports are available across multiple stable trees. See the upstream commits: Linux Kernel Commit 54e131d, Linux Kernel Commit 55cc6fe, Linux Kernel Commit 5a9b1dd, Linux Kernel Commit 64ae5aa, Linux Kernel Commit 7780c0b, and Linux Kernel Commit a8419f5.
Workarounds
- Restrict dmesg access to privileged users by setting kernel.dmesg_restrict=1 to reduce information disclosure exposure if a vulnerable kernel cannot be patched immediately.
- Disable or limit ACPI/APEI error reporting paths on platforms where firmware integrity cannot be assured, where supported by the hardware vendor.
- Validate firmware integrity using vendor-signed updates and Secure Boot to reduce the likelihood of crafted CPER records being injected.
# Restrict kernel log access as a partial mitigation
sudo sysctl -w kernel.dmesg_restrict=1
echo 'kernel.dmesg_restrict=1' | sudo tee -a /etc/sysctl.d/99-cve-2026-43171.conf
# Verify the running kernel version against patched stable trees
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
