CVE-2026-43413 Overview
CVE-2026-43413 is a NULL pointer dereference vulnerability in the Linux kernel's hisi_sas SCSI driver. The flaw occurs in the user_scan() function path when scanning channels beyond the driver's supported range. After commit 37c4e72b0651 updated sas_user_scan() to iterate across multiple channels, hisi_sas — which supports only one channel — triggers a kernel oops when scanning channel 1. The dereference occurs inside sas_find_dev_by_rphy() during target allocation, resulting in a kernel crash.
Critical Impact
A local user with write access to the SCSI scan sysfs attribute can trigger a kernel NULL pointer dereference, causing a denial of service on systems using HiSilicon SAS controllers.
Affected Products
- Linux kernel versions containing commit 37c4e72b0651 ("scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans")
- Systems using the hisi_sas_v3_hw and hisi_sas_main drivers
- HiSilicon SAS controller deployments on ARM64 server platforms
Discovery Timeline
- 2026-05-08 - CVE-2026-43413 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43413
Vulnerability Analysis
The vulnerability resides in the SCSI mid-layer scan path invoked through the /sys/class/scsi_host/hostX/scan sysfs interface. When a user writes to this attribute, store_scan() calls sas_user_scan(), which then iterates from channel 0 through shost->max_channel. For the hisi_sas driver, max_channel equals 1, so the loop attempts to scan channel 1 even though the hardware supports only channel 0.
During the channel 1 scan, scsi_scan_host_selected() reaches sas_target_alloc(), which calls sas_find_dev_by_rphy(). Because no remote PHY structure exists for the unsupported channel, the lookup returns a NULL pointer that is subsequently dereferenced. The crash trace shows a level 0 translation fault at virtual address 0x00000000000008b0, characteristic of NULL pointer arithmetic.
Root Cause
The root cause is a mismatch between the generic sas_user_scan() multi-channel iteration logic introduced in commit 37c4e72b0651 and the single-channel capability of the hisi_sas driver. The generic SCSI layer does not validate whether the underlying SAS driver can service requests for channels above 0 before invoking target allocation routines that assume a valid remote PHY exists.
Attack Vector
Exploitation requires local access with privileges sufficient to write to SCSI host sysfs attributes, typically root. An attacker writes a wildcard or multi-channel scan specification to /sys/class/scsi_host/hostN/scan on a system using hisi_sas hardware. The resulting NULL pointer dereference produces a kernel oops. The vulnerability cannot be exploited remotely and does not yield code execution; the impact is limited to availability.
The vulnerability is classified as a Null Pointer Dereference [CWE-476] in the kernel driver layer. The truncated upstream commit message indicates the fix restricts the scan iteration so that hisi_sas no longer processes channels beyond its supported range. Refer to the kernel commit 21a13db8 for the corrected logic.
Detection Methods for CVE-2026-43413
Indicators of Compromise
- Kernel oops messages referencing sas_find_dev_by_rphy+0x44/0x118 in dmesg or system logs
- Call traces involving sas_user_scan, scsi_scan_host_selected, and sas_target_alloc followed by a NULL pointer dereference
- Unexpected host crashes or kdump captures on ARM64 systems with hisi_sas_v3_hw loaded
Detection Strategies
- Inventory Linux hosts running kernels that include commit 37c4e72b0651 and the hisi_sas driver to identify exposure.
- Monitor writes to /sys/class/scsi_host/host*/scan for wildcard or multi-channel patterns issued by non-administrative workflows.
- Correlate kernel panic events with preceding sysfs write activity to detect attempted exploitation.
Monitoring Recommendations
- Forward kernel ring buffer messages and kdump artifacts to a centralized logging platform for retention and alerting.
- Alert on kernel oops or panic events containing the strings sas_find_dev_by_rphy or sas_user_scan.
- Track loaded kernel modules to flag systems where hisi_sas_main is active on vulnerable kernel versions.
How to Mitigate CVE-2026-43413
Immediate Actions Required
- Apply the upstream kernel patches referenced by commits 21a13db8, 40119a2, 70c7842, 8ddc0c2, and beadac1 to all affected systems.
- Restrict write access to /sys/class/scsi_host/host*/scan to trusted administrative accounts and tooling.
- Schedule controlled reboots for HiSilicon SAS-equipped servers after patch installation to load the corrected driver.
Patch Information
The fix is distributed across multiple stable Linux kernel branches. Authoritative patches are available at the kernel commit 21a13db8, kernel commit 40119a2, kernel commit 70c7842, kernel commit 8ddc0c2, and kernel commit beadac1. Consult your Linux distribution vendor for backported builds.
Workarounds
- Avoid issuing wildcard SCSI host rescans (for example, echo "- - -" > /sys/class/scsi_host/hostN/scan) on systems with hisi_sas hardware until patches are applied.
- Limit shell and sysfs access on affected hosts using mandatory access control policies such as SELinux or AppArmor.
- If patching is not immediately possible, consider unloading the hisi_sas_v3_hw module on test systems where SAS storage is not in active use.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
