CVE-2026-43285 Overview
CVE-2026-43285 is a Linux kernel vulnerability in the slab memory allocator. The flaw resides in get_from_any_partial(), which accesses current->mems_allowed_seq when invoked in a non-maskable interrupt (NMI) context. Because mems_allowed_seq is a seqcount_spinlock_t, it is not NMI-safe and triggers lockdep warnings about inconsistent lock state. The condition can produce a deadlock scenario when an NMI interrupts a thread already holding the seqcount write side. The issue affects Linux kernel 7.0 release candidates rc1 through rc7. Local attackers with the ability to trigger slab allocations from NMI handlers can disrupt kernel availability.
Critical Impact
Local low-privileged users can induce kernel deadlocks or denial of service by triggering NMI-context slab allocations that access non-NMI-safe seqcount state.
Affected Products
- Linux kernel 7.0-rc1 through 7.0-rc7
- Distributions shipping unpatched mainline mm/slab code
- Workloads using kfree_rcu and BPF features that allocate in NMI context
Discovery Timeline
- 2026-05-08 - CVE-2026-43285 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-43285
Vulnerability Analysis
The vulnerability resides in the kernel slab allocator path ___slab_alloc → get_from_any_partial(). When this allocation path executes in NMI context with !allow_spin semantics, it reads current->mems_allowed_seq. This field is typed as seqcount_spinlock_t, which according to Documentation/locking/seqlock.rst is not safe to access from NMI handlers.
Lockdep reports an inconsistent {INITIAL USE} -> {IN-NMI} lock state on &____s->seqcount#3. If an NMI fires while the same CPU holds the seqcount write side, the recursive access produces a deadlock condition. The reproducer surfaces during kunit_try_catch runs on kernel 6.19.0-rc5 builds that include the kfree_rcu rework.
The affected code path is reachable through BPF programs, perf events, and other subsystems that perform slab allocations from interrupt-disabled or NMI contexts. Local attackers with the ability to schedule such workloads can stall kernel execution on the affected CPU.
Root Cause
The root cause is improper synchronization primitive selection inside the memory policy path. mems_allowed_seq uses seqcount_spinlock_t, which assumes the write side is protected by a spinlock and the read side runs in normal or interrupt context. NMI handlers can preempt the write-side critical section, violating the seqcount invariant. The slab allocator did not gate access on allow_spin before consulting the seqcount.
Attack Vector
Exploitation requires local access and the ability to trigger slab allocations from NMI context. This is reachable through BPF tracing programs, perf subsystem callbacks, or hardware watchdog NMIs that invoke kernel memory allocations. A successful trigger causes lockdep splats in debug kernels and may deadlock production kernels under specific NUMA memory policy conditions. No code execution or information disclosure results from this flaw; the impact is confined to availability.
No public proof-of-concept exploit code is available. The EPSS score is 0.013%, reflecting very low likelihood of in-the-wild exploitation.
Detection Methods for CVE-2026-43285
Indicators of Compromise
- Kernel log entries containing WARNING: inconsistent lock state referencing &____s->seqcount and IN-NMI usage
- Lockdep stack traces showing ___slab_alloc+0x58f followed by NMI entry frames
- Soft lockup or hard lockup messages on CPUs running BPF or perf workloads with NUMA memory policies
Detection Strategies
- Enable CONFIG_PROVE_LOCKING and CONFIG_DEBUG_LOCK_ALLOC in test kernels to surface lockdep warnings tied to the seqcount path
- Monitor dmesg for inconsistent {INITIAL USE} -> {IN-NMI} usage patterns and correlate with slab allocation stack traces
- Audit BPF programs and perf event consumers for code paths that allocate kernel memory inside NMI handlers
Monitoring Recommendations
- Forward kernel ring buffer logs to a centralized logging system and alert on lockdep warnings referencing seqcount and slab_alloc
- Track kernel version inventory to identify hosts running Linux 7.0-rc1 through 7.0-rc7
- Review crash dumps from affected systems for stack signatures matching the get_from_any_partial NMI path
How to Mitigate CVE-2026-43285
Immediate Actions Required
- Upgrade to a stable Linux kernel release that includes commits 144080a5823b, 353dd9934447, or efd767ddcef0
- Avoid running Linux 7.0 release candidate kernels in production environments
- Restrict unprivileged BPF and perf usage by setting kernel.unprivileged_bpf_disabled=1 and kernel.perf_event_paranoid=3
Patch Information
The upstream fix modifies the slab allocator to skip current->mems_allowed_seq access when allow_spin is false and to forgo retry in that path. Applicable patches are available at Kernel Git Commit 144080a, Kernel Git Commit 353dd99, and Kernel Git Commit efd767d.
Workarounds
- Disable workloads that invoke kernel slab allocations from NMI context until the patch is applied
- Restrict NUMA memory policy use (mbind, set_mempolicy) for untrusted local users via seccomp or namespace isolation
- Run affected systems on a single NUMA node where mems_allowed_seq updates do not occur
# Verify kernel version and disable unprivileged BPF as a hardening step
uname -r
sysctl -w kernel.unprivileged_bpf_disabled=1
sysctl -w kernel.perf_event_paranoid=3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
