CVE-2026-43449 Overview
CVE-2026-43449 is an out-of-bounds read vulnerability in the Linux kernel's NVMe PCI driver. The flaw resides in the nvme_dbbuf_set function within drivers/nvme/host/pci.c, where an incorrect loop boundary causes the kernel to read beyond the allocated queue array. KASAN (Kernel Address Sanitizer) detected the issue as a slab-out-of-bounds read of 2 bytes during NVMe controller reset operations. The bug is triggered by the nvme_reset_work workqueue routine, which iterates over dev->online_queues using an off-by-one boundary. The Linux kernel maintainers have resolved the issue across multiple stable branches.
Critical Impact
An out-of-bounds read in the NVMe PCI driver can lead to kernel memory disclosure or system instability during NVMe device reset events.
Affected Products
- Linux Kernel (mainline) NVMe PCI driver (drivers/nvme/host/pci.c)
- Multiple stable Linux kernel branches referenced by the upstream fix commits
- Systems using NVMe storage devices with PCIe attachment
Discovery Timeline
- 2026-05-08 - CVE-2026-43449 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43449
Vulnerability Analysis
The vulnerability is classified as an Out-of-Bounds Read [CWE-125] in the kernel's NVMe PCI driver. The function nvme_dbbuf_set calls nvme_dbbuf_free in a loop that uses dev->online_queues as its upper bound. Because dev->online_queues represents a count rather than the highest valid index, the loop iterates one position beyond the allocated queue array.
KASAN reported the read of size 2 at address ffff88800592a574, located 244 bytes beyond the allocated 1152-byte region in the kmalloc-2k slab cache. The allocation originates in nvme_pci_alloc_dev via kmalloc_array_node_noprof, which sizes the queue array based on the device's queue count.
The upstream fix corrects the loop condition so the index remains within 0 through dev->online_queues − 1. Index 0 is also excluded because it refers to the admin queue, which is managed separately.
Root Cause
The root cause is an off-by-one boundary error. The code treats a count value (online_queues) as if it were an inclusive index. This produces a read past the end of the queue pointer array during NVMe reset paths invoked by the nvme-reset-wq workqueue.
Attack Vector
The vulnerability is triggered during NVMe controller initialization and reset workflows handled by nvme_reset_work. Triggering the condition requires local interaction with NVMe hardware or a controller reset event. No network attack vector or remote exploitation path is documented. The EPSS probability is 0.032%, indicating no observed exploitation activity.
The vulnerability is described in prose only because no verified exploit code is available. See the upstream commits, including Linux Kernel Commit 2b9d605 and Linux Kernel Commit 83e6edd, for the patch details.
Detection Methods for CVE-2026-43449
Indicators of Compromise
- KASAN reports containing slab-out-of-bounds in nvme_dbbuf_set or nvme_dbbuf_free in kernel logs
- Kernel call traces referencing nvme_reset_work originating from the nvme-reset-wq workqueue
- Unexpected NVMe controller resets logged through dmesg or journalctl -k
Detection Strategies
- Enable KASAN on test or staging kernels to surface out-of-bounds reads in NVMe code paths
- Monitor kernel logs for BUG: KASAN entries on systems running pre-patch kernels with NVMe storage
- Inventory deployed kernel versions against the fixed commits listed in the upstream references
Monitoring Recommendations
- Forward kernel ring buffer events to a centralized logging or SIEM platform for nvme_* errors
- Alert on repeated NVMe controller reset events that may indicate underlying instability
- Track kernel package versions through configuration management to confirm patch deployment
How to Mitigate CVE-2026-43449
Immediate Actions Required
- Identify systems running unpatched Linux kernels that include the affected NVMe PCI driver
- Apply the vendor-supplied kernel update from your distribution that incorporates the upstream fix
- Reboot affected hosts after upgrading to load the corrected kernel image
Patch Information
The fix is available across multiple stable kernel branches via the following upstream commits: Linux Kernel Commit 2b9d605, Linux Kernel Commit 328c551, Linux Kernel Commit 50bad78, Linux Kernel Commit 78279d2, Linux Kernel Commit 83e6edd, Linux Kernel Commit 86183d5, Linux Kernel Commit b4e78f1, and Linux Kernel Commit d7990c9. Distribution-packaged kernels should be preferred over manual patching.
Workarounds
- No documented workaround exists; applying the kernel patch is the only complete remediation
- Minimize induced NVMe controller resets while patching is pending to reduce trigger frequency
- Restrict local access on affected hosts to reduce opportunities for adversarial reset triggers
# Verify kernel version and check for the fix after patching
uname -r
dmesg | grep -i nvme
# Confirm package update on Debian/Ubuntu
apt list --installed 2>/dev/null | grep linux-image
# Confirm package update on RHEL/Fedora
rpm -qa | grep kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
