CVE-2026-43466: Linux Kernel Privilege Escalation Flaw

CVE-2026-43466 Overview

CVE-2026-43466 is a Linux kernel vulnerability in the net/mlx5e driver affecting Mellanox ConnectX network adapters. The flaw resides in the transmit queue error recovery path, where mlx5e_reset_txqsq_cc_pc() resets the DMA FIFO consumer counter (dma_fifo_cc) to zero without resetting the producer counter (dma_fifo_pc). This desynchronization causes the consumer to read from position 0 while the producer pushes new DMA entries at the old offset. As a result, the driver unmaps stale DMA addresses from before recovery, producing kernel warnings in iommu_dma_unmap_page() and potential memory state corruption in the IOMMU mapping table.

Critical Impact

A TX error completion queue event triggers a recovery flow that unmaps stale DMA addresses, leading to kernel warnings, potential availability loss, and integrity issues on the network data path.

Affected Products

• Linux kernel with the mlx5_core driver enabled (net/mlx5e transmit path)
• Systems using Mellanox ConnectX network adapters with IOMMU-backed DMA
• Multiple stable kernel branches as referenced in the upstream stable tree commits

Discovery Timeline

• 2026-05-08 - CVE-2026-43466 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-43466

Vulnerability Analysis

The vulnerability is a [Kernel Vulnerability] in the Mellanox mlx5e Ethernet driver's transmit error recovery logic. When the hardware reports a TX error via a Completion Queue Entry (CQE), the driver invokes mlx5e_reset_txqsq_cc_pc() to reset the Send Queue (SQ) state. This function resets dma_fifo_cc (consumer counter) to zero but leaves dma_fifo_pc (producer counter) at its prior value.

The DMA FIFO is a software-only construct tracking DMA mapping entries for in-flight transmit work queue entries (WQEs). After reset, the producer continues pushing new mappings starting at the stale dma_fifo_pc index, while the consumer begins reading from index 0. The consumer therefore dereferences entries that were valid before recovery but no longer correspond to live DMA mappings.

The resulting attempt to unmap stale DMA addresses triggers a WARN at drivers/iommu/dma-iommu.c:1240 inside iommu_dma_unmap_page(), observed during mlx5e_tx_wi_dma_unmap() invocation from mlx5e_poll_tx_cq().

Root Cause

At the point of SQ reset, all outstanding WQEs have already been flushed, so dma_fifo_cc is already equal to dma_fifo_pc. Resetting only dma_fifo_cc to zero breaks the invariant that producer and consumer counters track the same FIFO window. The skb_fifo counters are correctly left untouched in the same path, making the dma_fifo_cc reset inconsistent with surrounding logic.

Attack Vector

The vulnerability is reached through the normal TX error CQE handling path. Conditions that generate TX error completions on an mlx5e send queue, such as malformed traffic patterns, queue misconfiguration, or hardware-detected errors during transmission, can trigger recovery and the resulting desync. Exploitation requires conditions that produce TX error CQEs on an active send queue serviced by the affected driver. The upstream fix removes the dma_fifo_cc = 0 assignment from mlx5e_reset_txqsq_cc_pc() so the producer and consumer remain synchronized across recovery.

No public proof-of-concept exploit code is available for this issue. Refer to the upstream stable commits for the verified patch implementation.

Detection Methods for CVE-2026-43466

Indicators of Compromise

• Kernel WARNING at drivers/iommu/dma-iommu.c:1240 in iommu_dma_unmap_page+0x79/0x90
• Call traces containing mlx5e_tx_wi_dma_unmap, mlx5e_poll_tx_cq, and mlx5e_napi_poll from the mlx5_core module
• IOMMU unmap failures correlated with TX error CQE events on mlx5e send queues

Detection Strategies

• Monitor dmesg and /var/log/kern.log for the iommu_dma_unmap_page warning signature on hosts running mlx5_core
• Inventory Linux hosts using modinfo mlx5_core and cross-reference running kernel versions against the patched stable releases listed in the upstream commits
• Track TX error counters on mlx5 interfaces via ethtool -S <iface> to identify systems exercising the recovery path

Monitoring Recommendations

• Forward kernel ring buffer logs to a centralized logging or SIEM platform and alert on WARNING events referencing iommu_dma_unmap_page or mlx5e_tx_wi_dma_unmap
• Baseline TX error CQE rates per send queue and alert on sustained increases that indicate repeated recovery cycles
• Track kernel version drift across the fleet to confirm patched kernels are deployed on all mlx5-equipped hosts

How to Mitigate CVE-2026-43466

Immediate Actions Required

• Identify all Linux systems running the mlx5_core driver with Mellanox ConnectX adapters
• Apply the upstream stable kernel patches referenced below and reboot affected hosts
• Prioritize patching on hosts that have logged the iommu_dma_unmap_page warning signature

Patch Information

The fix removes the erroneous dma_fifo_cc = 0 reset in mlx5e_reset_txqsq_cc_pc(). The patch has been backported across multiple stable branches via the following commits: Kernel Patch Commit 1633111d, Kernel Patch Commit 383b37c0, Kernel Patch Commit 6eb68ecc, Kernel Patch Commit 6f41f781, Kernel Patch Commit 821f85d6, Kernel Patch Commit 829efccc, Kernel Patch Commit 9c5ee9b9, and Kernel Patch Commit ce1b19dd.

Workarounds

• No supported runtime workaround removes the underlying logic flaw; patching is required
• Reduce exposure by suppressing conditions that generate TX error CQEs, such as MTU mismatches, invalid offload configurations, and unstable cable or transceiver hardware
• On affected kernels, treat repeated mlx5e SQ recovery events as a signal to drain and migrate workloads off the host until the patch is applied

# Verify mlx5_core driver and kernel version on a host
uname -r
modinfo mlx5_core | grep -E '^(version|srcversion|filename)'

# Check for the warning signature in kernel logs
dmesg -T | grep -E 'iommu_dma_unmap_page|mlx5e_tx_wi_dma_unmap'

# Inspect TX error statistics on an mlx5 interface
ethtool -S <iface> | grep -iE 'tx_err|tx_dropped|sq_recover'