CVE-2026-43344 Overview
CVE-2026-43344 is a Linux kernel vulnerability in the perf/x86/intel/uncore subsystem. The flaw resides in snbep_pci2phy_map_init() and affects die ID initialization and lookup logic on Intel server platforms. When nr_node_ids > 8, uncore_device_to_die() can return -1 if all CPUs associated with the UBOX device are offline, triggering an erroneous WARN_ON_ONCE and breaking out of the device enumeration loop. A separate path on Intel Sapphire Rapids (SPR) and Emerald Rapids (EMR) platforms causes PMON units to be omitted from the red-black tree when NUMA is disabled, since pcibus_to_node() returns NUMA_NO_NODE. The issue is categorized under [CWE-617] Reachable Assertion.
Critical Impact
A local low-privileged user can trigger kernel assertion conditions or cause performance monitoring units to be ignored on Intel SPR and EMR systems, resulting in availability impact.
Affected Products
- Linux Kernel (mainline, * versions prior to fix)
- Linux Kernel 7.0-rc1 through 7.0-rc7
- Intel Sapphire Rapids (SPR) and Emerald Rapids (EMR) platforms running affected kernels
Discovery Timeline
- 2026-05-08 - CVE-2026-43344 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-43344
Vulnerability Analysis
The vulnerability resides in the Intel uncore Performance Monitoring Unit (PMON) initialization code at arch/x86/events/intel/uncore_snbep.c. The function snbep_pci2phy_map_init() iterates over PCI devices using pci_get_device() to build a PCI-to-physical mapping for UBOX devices. In the code path taken when nr_node_ids > 8, the helper uncore_device_to_die() may legitimately return -1 when all CPUs bound to a UBOX device are offline. The existing WARN_ON_ONCE(die_id == -1) check incorrectly treats this expected condition as an error, breaks out of the iteration loop, and returns -EINVAL. Because pci_get_device() does not guarantee iteration in domain or bus order, subsequent UBOX devices are skipped, leaving the mapping incomplete.
Root Cause
The root cause is twofold. First, the assertion treats a legitimate offline-bus condition as an unrecoverable error, producing a reachable WARN_ON_ONCE warning and aborting enumeration. Second, on NUMA-capable platforms running with NUMA disabled, pcibus_to_node() returns NUMA_NO_NODE, which causes uncore_device_to_die() to return -1 for every PCI device. As a result, spr_update_device_location() on Intel SPR and EMR ignores PMON units and fails to insert them into the red-black tree used for device tracking.
Attack Vector
The attack vector is local (AV:L) and requires low privileges (PR:L) with no user interaction. An unprivileged local user able to influence PMU initialization paths or trigger UBOX device enumeration on a vulnerable Intel uncore platform can drive the kernel into the buggy code path, producing kernel warnings and degrading or disabling uncore performance monitoring. The impact is limited to availability (A:H); confidentiality and integrity are not affected. Because no verified public proof-of-concept is available, exploitation is constrained to triggering the conditions during kernel boot or PMU subsystem initialization.
Detection Methods for CVE-2026-43344
Indicators of Compromise
- Kernel log entries containing WARN_ON_ONCE traces originating from snbep_pci2phy_map_init or uncore_device_to_die in dmesg output.
- Missing PMON units in /sys/devices/uncore_* on Intel SPR or EMR systems, indicating spr_update_device_location() skipped registration.
- perf tool reporting uncore events as unavailable on affected Intel Xeon Scalable processors despite the hardware supporting them.
Detection Strategies
- Audit kernel versions across the fleet using uname -r and cross-reference against the patched stable kernel commits 6a5dc3ee9758 and a16d1ec4dd0c.
- Monitor kernel ring buffer logs for repeated warnings tied to the uncore PMU subsystem during boot or module reload.
- Validate uncore PMU registration on Intel SPR and EMR hosts by enumerating /sys/bus/event_source/devices/ and confirming expected uncore counters are present.
Monitoring Recommendations
- Centralize dmesg and journalctl -k output to a log aggregation pipeline to detect kernel warnings at scale.
- Track Linux kernel package update status on Intel Xeon SPR and EMR hosts as part of standard patch compliance reporting.
- Alert on anomalous gaps in uncore performance counter telemetry that may indicate PMON units were not registered.
How to Mitigate CVE-2026-43344
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in commits 6a5dc3ee9758 and a16d1ec4dd0c or update to a stable kernel release that incorporates them.
- Identify Intel Sapphire Rapids and Emerald Rapids systems in your fleet and prioritize them for patching, as they are specifically affected by the spr_update_device_location() regression.
- Restrict local access on multi-tenant systems where unprivileged users can interact with the uncore PMU subsystem.
Patch Information
The fix replaces the WARN_ON_ONCE(die_id == -1) and early loop break with logic that uses uncore_pcibus_to_dieid(), which derives topology from the UBOX GIDNIDMAP register and works regardless of whether NUMA is enabled. The patch also adds snbep_pci2phy_map_init() to spr_uncore_pci_init() so SPR and EMR platforms benefit from the corrected mapping. uncore_device_to_die() is retained only for the nr_node_ids > 8 case, where NUMA is expected to be enabled. See the Linux Kernel Commit 6a5dc3e and Linux Kernel Commit a16d1ec4 for full patch details.
Workarounds
- Where patching is not immediately feasible, ensure NUMA support is enabled in the kernel configuration (CONFIG_NUMA=y) on NUMA-capable Intel server hardware to avoid the NUMA_NO_NODE code path.
- Keep CPUs associated with UBOX devices online to prevent uncore_device_to_die() from returning -1 in the nr_node_ids > 8 path.
- Limit shell and PMU access to trusted administrative accounts on affected hosts until patches are deployed.
# Verify running kernel version and confirm patch presence
uname -r
# Confirm NUMA is enabled to avoid the NUMA_NO_NODE workaround path
grep CONFIG_NUMA= /boot/config-$(uname -r)
numactl --hardware
# Inspect uncore PMU registration on Intel SPR/EMR hosts
ls /sys/bus/event_source/devices/ | grep uncore
# Review kernel logs for related warnings
dmesg | grep -iE 'snbep_pci2phy_map_init|uncore_device_to_die'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
