CVE-2026-43313 Overview
CVE-2026-43313 is a NULL pointer dereference vulnerability in the Linux kernel's ACPI processor subsystem. The flaw resides in the acpi_processor_errata_piix4() function, which handles errata workarounds for the Intel PIIX4 chipset. The function reuses a single dev pointer across two consecutive pci_get_subsys() lookups for an IDE device and an ISA device. When the first lookup succeeds and the second fails, dev is overwritten with NULL, and the subsequent dev_dbg(&dev->dev, ...) call dereferences the NULL pointer. Exploitation requires local access and triggers a kernel crash, resulting in denial of service [CWE-476].
Critical Impact
A local low-privileged user on an affected Linux system can trigger a kernel NULL pointer dereference leading to a system crash and high availability impact.
Affected Products
- Linux Kernel (multiple stable branches)
- Linux Kernel 2.6.12 (including rc2 through rc5)
- Systems using the ACPI processor driver on PIIX4-class hardware
Discovery Timeline
- 2026-05-08 - CVE-2026-43313 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43313
Vulnerability Analysis
The vulnerability is located in acpi_processor_errata_piix4() in the Linux kernel's ACPI processor driver. The function probes for legacy Intel PIIX4 chipset devices to apply bus master interrupt errata workarounds. It performs two PCI subsystem lookups using pci_get_subsys(): one for the IDE device (PCI_DEVICE_ID_INTEL_82371AB) and another for the ISA device (PCI_DEVICE_ID_INTEL_82371AB_0). Both lookups assign their result to the same dev pointer variable.
If the IDE lookup returns a valid device but the ISA lookup returns NULL, dev is overwritten with NULL. Later in the function, if errata.piix4.bmisx is set, the kernel invokes dev_dbg(&dev->dev, ...), which dereferences the now-NULL dev pointer. The fix introduces two independent temporary pointers so each device handle is tracked separately, preventing the overwrite.
Root Cause
The root cause is unsafe pointer reuse without intermediate NULL validation. The original code assumed both pci_get_subsys() calls would succeed or fail together, an assumption that breaks on systems where the IDE function is present but the ISA function is not enumerated. Classified under [CWE-476] NULL Pointer Dereference, the bug is a defensive programming oversight in early driver initialization logic.
Attack Vector
Exploitation requires local access with low privileges on a system whose hardware topology causes the asymmetric PCI lookup result. There is no network attack surface and no user interaction beyond triggering the affected code path. The outcome is a kernel oops or panic, producing a denial-of-service condition. The vulnerability does not provide a path to code execution, privilege escalation, or information disclosure.
No public proof-of-concept or in-the-wild exploitation has been reported.
Detection Methods for CVE-2026-43313
Indicators of Compromise
- Kernel oops or panic messages referencing acpi_processor_errata_piix4 in dmesg or /var/log/kern.log
- Unexpected system reboots or hangs during ACPI processor driver initialization at boot
- NULL pointer dereference stack traces involving dev_dbg calls from the ACPI processor module
Detection Strategies
- Inventory running kernel versions across Linux hosts and compare against the patched commits published on git.kernel.org for this CVE
- Audit kernel crash dumps and kdump archives for signatures matching the acpi_processor_errata_piix4() call path
- Correlate hardware platform data with kernel version data to identify legacy PIIX4-class systems running unpatched kernels
Monitoring Recommendations
- Forward kernel ring buffer logs to a centralized log platform and alert on BUG: unable to handle kernel NULL pointer dereference events
- Track patch deployment status across the fleet using configuration management telemetry
- Monitor for repeated boot failures or crash loops on systems following kernel updates
How to Mitigate CVE-2026-43313
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the stable tree commits for this CVE
- Update to a distribution kernel that includes the fix from your Linux vendor (Red Hat, SUSE, Ubuntu, Debian)
- Restrict local shell access on multi-user systems running unpatched kernels until updates are applied
Patch Information
The fix is committed across multiple stable branches. Reference patches include Kernel Git Commit 01e8751, Kernel Git Commit 0398b6, Kernel Git Commit 06724a6, Kernel Git Commit 29f60d3, Kernel Git Commit ad86ac6, Kernel Git Commit b803811, and Kernel Git Commit f132e08. The change replaces the reused dev pointer with two independent temporary pointers.
Workarounds
- Disable the ACPI processor driver on affected legacy hardware if a kernel update cannot be applied immediately
- Limit local user accounts and enforce least-privilege access controls to reduce exposure
- Schedule reboots into patched kernels during the next maintenance window to ensure the fix loads
# Verify running kernel and check for vendor-provided update
uname -r
# Debian/Ubuntu
sudo apt update && sudo apt install --only-upgrade linux-image-$(uname -r | cut -d- -f2-)
# RHEL/CentOS/Fedora
sudo dnf update kernel
# Reboot to load the patched kernel
sudo systemctl reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
