CVE-2026-43445 Overview
CVE-2026-43445 is a memory leak vulnerability in the Linux kernel affecting the e1000 and e1000e Intel Ethernet network drivers. The flaw resides in the DMA error cleanup path of the transmit (TX) buffer mapping logic. When a DMA mapping operation fails partway through processing a socket buffer (skb), the driver fails to unmap one of the previously mapped buffers due to an off-by-one error. This results in a leaked DMA mapping each time the error path triggers. The issue was introduced by commit c1fa347f20f1, which fixed an earlier infinite loop bug but decremented the count variable incorrectly before the cleanup loop.
Critical Impact
Repeated DMA mapping failures can exhaust kernel DMA resources on systems using e1000 or e1000e Intel Ethernet adapters, potentially causing degraded network performance or resource exhaustion conditions over time.
Affected Products
- Linux kernel e1000 driver (Intel PRO/1000 Ethernet)
- Linux kernel e1000e driver (Intel PRO/1000 PCIe Ethernet)
- Multiple stable kernel branches prior to the patched commits
Discovery Timeline
- 2026-05-08 - CVE-2026-43445 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43445
Vulnerability Analysis
The vulnerability exists in the TX buffer mapping path within the e1000 and e1000e network drivers. When the kernel transmits a packet, it must map each fragment of the skb for DMA access by the network adapter. If any mapping fails during this process, the driver enters a dma_error cleanup routine intended to unmap any buffers that were successfully mapped before the failure.
The count variable tracks successful mappings and is incremented after each successful operation. As a result, count already reflects the correct number of buffers requiring cleanup when dma_error is reached. However, the buggy code decremented count before entering the unmap loop, causing the cleanup to skip exactly one mapping. This means that when at least one mapping succeeds before a failure, one DMA mapping is leaked per error event.
Root Cause
The root cause is an off-by-one error introduced by commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()"). That commit corrected an infinite loop introduced by commits 03b1320dfcee and 602c0554d7b0, but in doing so it added an unnecessary pre-decrement of count, breaking the invariant that count equals the number of buffers needing unmapping. This is classified as a memory leak [CWE-401] in kernel DMA resource handling.
Attack Vector
The vulnerability is not directly triggerable by remote attackers. It manifests only when the underlying DMA mapping subsystem returns an error during TX buffer setup, which is a rare runtime condition tied to memory pressure or IOMMU resource exhaustion. The flaw is a reliability and resource-leak issue rather than an exploitable code execution primitive. The vulnerability mechanism is described in the upstream kernel commit messages referenced below; no public proof-of-concept exists.
Detection Methods for CVE-2026-43445
Indicators of Compromise
- Gradual depletion of available DMA mapping entries on systems using e1000 or e1000e adapters
- Kernel log messages from e1000/e1000e indicating dma_error paths being exercised under load
- Long-running hosts showing increased IOMMU resource usage without a corresponding workload change
Detection Strategies
- Audit the running kernel version against patched stable branches referenced in Kernel Commit fa5ba98 and related backports
- Monitor /proc/meminfo and IOMMU statistics for unexpected growth in mapped DMA regions
- Correlate network adapter driver name (e1000, e1000e) with kernel version inventory across the fleet
Monitoring Recommendations
- Track kernel dmesg output for repeated e1000 or e1000e TX error events
- Alert on hosts where DMA-mapped memory grows monotonically without bound
- Include kernel version compliance checks in routine host posture assessments
How to Mitigate CVE-2026-43445
Immediate Actions Required
- Update affected Linux systems to a kernel version that includes the fix from the referenced upstream commits
- Inventory hosts using e1000 or e1000e Intel Ethernet drivers, including virtualized environments where these are common emulated NICs
- Coordinate kernel upgrades with distribution vendors that have backported the patch to supported stable branches
Patch Information
The fix has been merged across multiple stable kernel branches. The relevant upstream commits include Kernel Commit 0606c24, Kernel Commit 0a1fc25, Kernel Commit 10b5e65, Kernel Commit 30e87ad, Kernel Commit 519051c, Kernel Commit 7eaeb77, Kernel Commit e94eaef, and Kernel Commit fa5ba98. Administrators should apply the kernel update provided by their Linux distribution.
Workarounds
- No supported workaround removes the underlying leak; only the kernel patch resolves the issue
- On virtualized hosts, switching guest NIC emulation away from e1000/e1000e to virtio-net avoids the affected code path entirely
- Periodically reboot affected hosts as a temporary measure to reclaim leaked DMA mappings until patches can be deployed
# Verify which kernel version is running and which driver is bound to the NIC
uname -r
ethtool -i eth0 | grep -E '^driver:'
# Expected: driver: e1000 or driver: e1000e on affected systems
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
