CVE-2026-43289 Overview
CVE-2026-43289 is a Linux kernel vulnerability in the kexec_load_purgatory() function within kernel/kexec_file.c. The function derives image->start by locating e_entry inside an SHF_EXECINSTR section. When a purgatory object contains multiple executable sections with overlapping sh_addr values, the entry point check can match more than once and trigger a kernel WARN. The fix derives the entry section from the purgatory_start symbol when present and computes image->start from its final placement, retaining the existing e_entry fallback.
Critical Impact
A local privileged user invoking the kexec_file_load syscall can trigger a kernel warning and potential availability impact on affected systems running vulnerable Linux kernel versions.
Affected Products
- Linux Kernel version 6.4 (including release candidates)
- Linux Kernel version 7.0 (rc1 through rc7)
- Multiple stable kernel branches as referenced in kernel.org commits
Discovery Timeline
- 2026-05-08 - CVE-2026-43289 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43289
Vulnerability Analysis
The vulnerability resides in the kernel's kexec (kernel execution) subsystem, which allows loading a new kernel from a currently running one. The purgatory is a small executable that runs between the original and new kernels during a kexec operation. The function kexec_load_purgatory() parses the purgatory ELF object to identify its entry point. It scans executable sections marked with the SHF_EXECINSTR flag for one containing the ELF header's e_entry value.
When the purgatory ELF contains multiple executable sections whose sh_addr ranges overlap, the search loop can match e_entry against more than one candidate section. The redundant match path triggers a WARN at kernel/kexec_file.c:1009, producing a kernel stack trace through bzImage64_load, __do_sys_kexec_file_load, and do_syscall_64.
Root Cause
The root cause is the assumption that e_entry uniquely identifies a single executable section in the purgatory object. The original logic does not account for overlapping sh_addr values between distinct SHF_EXECINSTR sections. The patch resolves this by preferring the purgatory_start symbol when present, which provides an unambiguous reference to the entry location, and computing image->start from that symbol's final placement.
Attack Vector
Exploitation requires local access and the CAP_SYS_BOOT capability to invoke kexec_file_load. An attacker with sufficient privileges can craft a malformed purgatory ELF object with multiple overlapping SHF_EXECINSTR sections to trigger the kernel warning. The warning path produces stack traces and can disrupt the kexec workflow, contributing to availability degradation but not memory corruption or privilege escalation, consistent with the [CWE-noinfo] classification assigned by NVD.
No verified public proof-of-concept code is available for this issue. Technical details are documented in the upstream Linux kernel commits.
Detection Methods for CVE-2026-43289
Indicators of Compromise
- Kernel ring buffer entries containing WARNING: kernel/kexec_file.c:1009 at kexec_load_purgatory+0x395/0x3c0
- Stack traces referencing bzImage64_load, __do_sys_kexec_file_load, and entry_SYSCALL_64_after_hwframe
- Unexpected kexec_file_load syscall invocations from non-administrative workflows
Detection Strategies
- Monitor dmesg and /var/log/kern.log for the specific WARN signature at kexec_load_purgatory
- Audit processes that hold CAP_SYS_BOOT capability and track their syscall activity
- Correlate kexec_file_load invocations with the user context and parent process tree
Monitoring Recommendations
- Enable auditd rules for the kexec_file_load syscall to capture all invocations with caller metadata
- Forward kernel logs to a centralized SIEM for pattern matching against the WARN signature
- Baseline expected kexec usage and alert on deviations from administrative maintenance windows
How to Mitigate CVE-2026-43289
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the kernel.org stable commits
- Restrict CAP_SYS_BOOT to administrative accounts and remove from unprivileged contexts
- Update to a patched kernel build from your distribution vendor as soon as it becomes available
Patch Information
The fix is available in multiple Linux stable branches. Refer to the following upstream commits: Linux Kernel Commit 0277975, Linux Kernel Commit 1737d37, Linux Kernel Commit 36eb314, Linux Kernel Commit 480e1d5, Linux Kernel Commit 5226570, Linux Kernel Commit 8753551, Linux Kernel Commit cfccd3b, and Linux Kernel Commit f736032. The patch derives the purgatory entry point from the purgatory_start symbol when present, falling back to e_entry otherwise.
Workarounds
- Disable kexec_file_load by setting kernel.kexec_load_disabled=1 via sysctl on systems where live kernel replacement is not required
- Remove the CAP_SYS_BOOT capability from service accounts and containers that do not need to load kernels
- Use kernel lockdown mode (kernel_lockdown=integrity or confidentiality) to restrict kexec operations
# Configuration example
# Disable kexec_file_load until patched kernel is deployed
echo 1 | sudo tee /proc/sys/kernel/kexec_load_disabled
# Persist across reboots
echo 'kernel.kexec_load_disabled = 1' | sudo tee /etc/sysctl.d/99-kexec.conf
sudo sysctl --system
# Verify
sysctl kernel.kexec_load_disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
