CVE-2026-43347 Overview
CVE-2026-43347 is a Linux kernel vulnerability affecting arm64 Qualcomm Monaco-based platforms. The kernel inadvertently accesses hypervisor-owned memory because the EFI memory map reserves only a subset of the Gunyah metadata region. The Qualcomm hypervisor claims memory at 0x91a80000 of size 0x80000 (512 KiB), but firmware reserves only 288 KiB. The page frame allocator can hand out PFNs inside the hypervisor-owned region, triggering Synchronous External Abort exceptions (ESR=0x96000010) and kernel crashes. The issue is resolved by adding a reserved-memory carveout with no-map for the Gunyah hypervisor metadata in the device tree.
Critical Impact
Kernel allocations from hypervisor-owned memory cause fatal synchronous external aborts and full system crashes on affected Monaco platforms.
Affected Products
- Linux kernel 7.0 release candidates (rc1 through rc7)
- arm64 builds for Qualcomm Monaco-based platforms
- Systems using the Gunyah hypervisor (gunyah-e78adb36e debug build)
Discovery Timeline
- 2026-05-08 - CVE-2026-43347 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43347
Vulnerability Analysis
The vulnerability stems from a mismatch between two firmware-provided memory descriptors. The Qualcomm hypervisor (Gunyah) reports its metadata region at 0x91a80000 spanning 0x80000 bytes (512 KiB). The Unified Extensible Firmware Interface (UEFI) memory map, however, only marks 0x91a40000–0x91a87fff as Reserved, while 0x91a88000–0x0000938fffff is exposed as Conventional memory.
Linux trusts the EFI memory map when constructing its physical memory allocator. The kernel therefore considers the upper portion of the Gunyah metadata region as usable RAM. When the allocator returns page frames inside that range, any subsequent access reaches memory owned by the hypervisor stage-2 translation, which denies the access and generates a synchronous external abort.
Root Cause
The root cause is missing device tree reservation for hypervisor-owned memory. The Monaco device tree source (arm64/boot/dts/qcom/monaco) did not declare a reserved-memory carveout covering the full Gunyah metadata region. Without a no-map reservation, memblock and the buddy allocator treat the conventional-marked subrange as free memory available for kernel and userspace allocations.
Attack Vector
This is a reliability and availability defect rather than a remotely exploitable memory corruption flaw. The CVSS vector indicates impact limited to availability. Triggering the abort requires the allocator to select a PFN inside the unreserved hypervisor region, which depends on boot-time memory layout and workload pressure. The result is a kernel crash and denial of service on affected Monaco hardware.
No public proof-of-concept exists and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The vulnerability manifests during normal kernel operation on impacted devices and does not require attacker interaction. See the upstream commits at git.kernel.org commit 59bd9088 for technical details of the device tree change.
Detection Methods for CVE-2026-43347
Indicators of Compromise
- Kernel oops or panic logs containing Synchronous External Abort with ESR=0x96000010 on arm64 Monaco devices.
- Boot log line qhee_hyp_assign_remove_memory: 0x91a80000/0x80000 -> ret 0 paired with EFI map entries showing 0x91a88000 as Conventional memory.
- Unexpected reboots or watchdog resets shortly after high memory pressure on Monaco-based hardware.
Detection Strategies
- Parse dmesg and persistent kernel logs for synchronous external abort signatures correlated with addresses in the 0x91a80000–0x91afffff range.
- Compare EFI memory map output against the Gunyah qhee_hyp_assign_remove_memory boot messages to identify reservation gaps.
- Inventory deployed kernels and flag arm64 Monaco builds running Linux 7.0 release candidates without the device tree fix.
Monitoring Recommendations
- Centralize kernel crash logs from arm64 fleets and alert on repeated synchronous external aborts.
- Track kernel version and device tree blob hashes across managed devices to confirm patched builds are deployed.
- Monitor hypervisor health telemetry from Gunyah for stage-2 access denials targeting metadata addresses.
How to Mitigate CVE-2026-43347
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the vendor advisories to all arm64 Monaco builds.
- Rebuild and deploy the updated device tree blob containing the full 512 KiB Gunyah metadata reservation.
- Restrict the affected Linux 7.0 release candidate kernels from production rollout until the device tree fix is in place.
Patch Information
The fix adds a reserved-memory carveout at 0x91a80000 of size 0x80000 and marks it no-map, preventing Linux from mapping or allocating from the hypervisor metadata region. The patches are available in the following stable tree commits: commit 59bd9088, commit 85d98669, and commit edde6257.
Workarounds
- Boot affected devices with a memmap= kernel command-line entry that excludes 0x91a80000+0x80000 from usable memory until the patched device tree is deployed.
- Pin Monaco platforms to an earlier stable kernel that predates the regression while validating the upstream fix.
- Coordinate with the platform vendor to obtain firmware updates that emit a corrected EFI memory map covering the full Gunyah metadata region.
# Configuration example: reserved-memory node added by the upstream fix
reserved-memory {
#address-cells = <2>;
#size-cells = <2>;
ranges;
gunyah_hyp_mem: gunyah-hyp@91a80000 {
reg = <0x0 0x91a80000 0x0 0x80000>;
no-map;
};
};
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
