HOMEVULNERABILITIESCVE-2026-43363
NONE

CVE-2026-43363

Published: May 8, 2026· Updated: May 12, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:7.0th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

x86/apic: Disable x2apic on resume if the kernel expects so

When resuming from s2ram, firmware may re-enable x2apic mode, which may have

been disabled by the kernel during boot either because it doesn't support IRQ

remapping or for other reasons. This causes the kernel to continue using the

xapic interface, while the hardware is in x2apic mode, which causes hangs.

This happens on defconfig + bare metal + s2ram.

Fix this in lapic_resume() by disabling x2apic if the kernel expects it to be

disabled, i.e. when x2apic_mode = 0.

The ACPI v6.6 spec, Section 16.3 [1] says firmware restores either the

pre-sleep configuration or initial boot configuration for each CPU, including

MSR state:

When executing from the power-on reset vector as a result of waking from an

S2 or S3 sleep state, the platform firmware performs only the hardware

initialization required to restore the system to either the state the

platform was in prior to the initial operating system boot, or to the

pre-sleep configuration state. In multiprocessor systems, non-boot

processors should be placed in the same state as prior to the initial

operating system boot.

(further ahead)

If this is an S2 or S3 wake, then the platform runtime firmware restores

minimum context of the system before jumping to the waking vector. This

includes:

CPU configuration. Platform runtime firmware restores the pre-sleep

configuration or initial boot configuration of each CPU (MSR, MTRR,

firmware update, SMBase, and so on). Interrupts must be disabled (for

IA-32 processors, disabled by CLI instruction).

(and other things)

So at least as per the spec, re-enablement of x2apic by the firmware is

allowed if "x2apic on" is a part of the initial boot configuration.

[1] https://uefi.org/specs/ACPI/6.6/16_Waking_and_Sleeping.html#initialization

[ bp: Massage. ]

NVD Source

Technical Analysis

CVE-2026-43363 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2026-43363
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 8, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43363 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.