CVE-2026-43461 Overview
CVE-2026-43461 is a Linux kernel vulnerability in the Amlogic SPI-NAND flash controller driver (spi-amlogic-spifc-a4). The flaw resides in the aml_sfc_dma_buffer_setup() function, which contains three distinct bugs in its Direct Memory Access (DMA) mapping error-handling paths. These bugs include an unnecessary goto branch, a double-unmap condition when the info DMA mapping fails, and an incorrect unmap size that uses datalen instead of infolen when unmapping sfc->iaddr. The issue affects local Linux systems running the vulnerable driver on Amlogic-based hardware.
Critical Impact
Local attackers with low privileges can trigger DMA mapping errors to cause memory corruption, leading to potential privilege escalation, data integrity loss, or denial of service on affected kernels.
Affected Products
- Linux kernel versions containing the spi-amlogic-spifc-a4 driver prior to the fix
- Amlogic A4-series System-on-Chip (SoC) platforms using the SPI-NAND flash controller
- Embedded and IoT devices running affected Linux kernel builds
Discovery Timeline
- 2026-05-08 - CVE-2026-43461 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43461
Vulnerability Analysis
The vulnerability lives in the aml_sfc_dma_buffer_setup() function within the Amlogic SPI flash controller driver. The function maps two DMA buffers — a data buffer (sfc->daddr) and an info buffer (sfc->iaddr) — for hardware-accelerated SPI transactions. Three distinct defects exist in the error-handling logic.
First, when the initial DMA mapping for sfc->daddr fails, the code branches via goto to a cleanup label even though no resources require cleanup at that point. Second, when the info buffer mapping fails, the code performs an inline unmap of sfc->daddr and then falls through to the out_map_data label, which unmaps the same address a second time. This double-unmap corrupts DMA bookkeeping state in the kernel. Third, the out_map_info cleanup path passes datalen to the unmap routine for sfc->iaddr rather than the correct infolen, producing an incorrect DMA synchronization size.
Root Cause
The root cause is improper resource cleanup logic in a kernel driver error path [CWE-401, CWE-415]. Mismatched size parameters and duplicated unmap calls violate the DMA-API contract enforced by the Linux kernel.
Attack Vector
Exploitation requires local access with low privileges on a system running the affected driver. An attacker triggering repeated SPI flash operations under memory pressure can force DMA mapping failures, exercising the broken error paths to corrupt kernel DMA state.
No verified public proof-of-concept code is available. See the upstream commits 0a83d6c, b20b437, and c0b88f1 for the exact source-level changes.
Detection Methods for CVE-2026-43461
Indicators of Compromise
- Kernel warnings or panics referencing dma_unmap_single, aml_sfc_dma_buffer_setup, or DMA debug checks on affected Amlogic systems.
- Repeated SPI flash I/O errors in dmesg accompanied by DMA mapping failure messages.
- Unexpected reboots or kernel oops events on Amlogic A4-based devices under storage workload.
Detection Strategies
- Inventory all Linux systems and embedded devices using Amlogic A4 SoCs with the spi-amlogic-spifc-a4 driver loaded.
- Compare running kernel versions against the patched commits in the stable kernel tree to identify unpatched hosts.
- Enable CONFIG_DMA_API_DEBUG in test environments to surface double-unmap and size-mismatch behaviors.
Monitoring Recommendations
- Collect and centralize kernel ring buffer logs from embedded Linux fleets for analysis of DMA-related faults.
- Monitor for abnormal SPI flash error rates that may indicate attempts to trigger the error path.
- Track kernel package versions across managed Linux endpoints and alert on hosts running pre-patch builds.
How to Mitigate CVE-2026-43461
Immediate Actions Required
- Apply the upstream stable kernel patches referenced by commits 0a83d6c, b20b437, and c0b88f1 to all affected systems.
- Restrict local user access on Amlogic-based devices to trusted accounts until patching is complete.
- Rebuild and redeploy custom kernel images for embedded and IoT devices that ship the affected driver.
Patch Information
The fix is published in the Linux stable tree. Relevant commits are Linux Kernel Commit 0a83d6c, Linux Kernel Commit b20b437, and Linux Kernel Commit c0b88f1. The patch replaces the faulty goto with a direct return, removes the duplicate inline unmap, and corrects the unmap size from datalen to infolen.
Workarounds
- Unload the spi-amlogic-spifc-a4 driver on systems where SPI-NAND flash access is not required.
- Enforce strict local access controls and disable unnecessary local user accounts on affected hardware.
- Limit workloads that exercise SPI flash under memory pressure until patches are deployed.
# Verify whether the affected driver is loaded
lsmod | grep spifc_a4
# Check running kernel version against patched stable releases
uname -r
# Optional: unload the driver where SPI-NAND is not used
sudo modprobe -r spi-amlogic-spifc-a4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
