HOMEVULNERABILITIESCVE-2026-43489
NONE

CVE-2026-43489

Published: May 13, 2026· Updated: May 13, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:5.1th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

liveupdate: luo_file: remember retrieve() status

LUO keeps track of successful retrieve attempts on a LUO file. It does so

to avoid multiple retrievals of the same file. Multiple retrievals cause

problems because once the file is retrieved, the serialized data

structures are likely freed and the file is likely in a very different

state from what the code expects.

The retrieve boolean in struct luo_file keeps track of this, and is passed

to the finish callback so it knows what work was already done and what it

has left to do.

All this works well when retrieve succeeds. When it fails,

luo_retrieve_file() returns the error immediately, without ever storing

anywhere that a retrieve was attempted or what its error code was. This

results in an errored LIVEUPDATE_SESSION_RETRIEVE_FD ioctl to userspace,

but nothing prevents it from trying this again.

The retry is problematic for much of the same reasons listed above. The

file is likely in a very different state than what the retrieve logic

normally expects, and it might even have freed some serialization data

structures. Attempting to access them or free them again is going to

break things.

For example, if memfd managed to restore 8 of its 10 folios, but fails on

the 9th, a subsequent retrieve attempt will try to call

kho_restore_folio() on the first folio again, and that will fail with a

warning since it is an invalid operation.

Apart from the retry, finish() also breaks. Since on failure the

retrieved bool in luo_file is never touched, the finish() call on session

close will tell the file handler that retrieve was never attempted, and it

will try to access or free the data structures that might not exist, much

in the same way as the retry attempt.

There is no sane way of attempting the retrieve again. Remember the error

retrieve returned and directly return it on a retry. Also pass this

status code to finish() so it can make the right decision on the work it

needs to do.

This is done by changing the bool to an integer. A value of 0 means

retrieve was never attempted, a positive value means it succeeded, and a

negative value means it failed and the error code is the value.

NVD Source

Technical Analysis

CVE-2026-43489 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (2)

Quick Facts

CVE IDCVE-2026-43489
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 13, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43489 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.