HOMEVULNERABILITIESCVE-2026-43449
NONE

CVE-2026-43449

Published: May 8, 2026· Updated: May 12, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:7.0th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set

dev->online_queues is a count incremented in nvme_init_queue. Thus,

valid indices are 0 through dev->online_queues − 1.

This patch fixes the loop condition to ensure the index stays within the

valid range. Index 0 is excluded because it is the admin queue.

KASAN splat:

==================================================================

BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]

BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404

Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74

CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary)

Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014

Workqueue: nvme-reset-wq nvme_reset_work

Call Trace:

<TASK>

__dump_stack lib/dump_stack.c:94 [inline]

dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120

print_address_description mm/kasan/report.c:378 [inline]

print_report+0xce/0x5d0 mm/kasan/report.c:482

kasan_report+0xdc/0x110 mm/kasan/report.c:595

__asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379

nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline]

nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404

nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252

process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257

process_scheduled_works kernel/workqueue.c:3340 [inline]

worker_thread+0x65c/0xe60 kernel/workqueue.c:3421

kthread+0x41a/0x930 kernel/kthread.c:463

ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158

ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

</TASK>

Allocated by task 34 on cpu 1 at 4.241550s:

kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57

kasan_save_track+0x1c/0x70 mm/kasan/common.c:78

kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570

poison_kmalloc_redzone mm/kasan/common.c:398 [inline]

__kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415

kasan_kmalloc include/linux/kasan.h:263 [inline]

__do_kmalloc_node mm/slub.c:5657 [inline]

__kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663

kmalloc_array_node_noprof include/linux/slab.h:1075 [inline]

nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline]

nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534

local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324

pci_call_probe drivers/pci/pci-driver.c:392 [inline]

__pci_device_probe drivers/pci/pci-driver.c:417 [inline]

pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451

call_driver_probe drivers/base/dd.c:583 [inline]

really_probe+0x29b/0xb70 drivers/base/dd.c:661

__driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803

driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833

__driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159

async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129

process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257

process_scheduled_works kernel/workqueue.c:3340 [inline]

worker_thread+0x65c/0xe60 kernel/workqueue.c:3421

kthread+0x41a/0x930 kernel/kthread.c:463

ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158

ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

The buggy address belongs to the object at ffff88800592a000

which belongs to the cache kmalloc-2k of size 2048

The buggy address is located 244 bytes to the right of

allocated 1152-byte region [ffff88800592a000, ffff88800592a480)

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928

head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0

anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff)

page_type: f5(slab)

raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001

raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000

head: 000fffffc0000040 ffff888001042000 00000

---truncated---

NVD Source

Technical Analysis

CVE-2026-43449 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2026-43449
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 8, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43449 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.