SB2026051453 - Improper Initialization in Linux kernel mm



SB2026051453 - Improper Initialization in Linux kernel mm

Published: May 14, 2026

Security Bulletin ID SB2026051453
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Local access
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Improper Initialization (CVE-ID: CVE-2026-43489)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in liveupdate luo_file handling when processing repeated LIVEUPDATE_SESSION_RETRIEVE_FD ioctl requests after a failed retrieve attempt. A local user can trigger a failed retrieve and retry the ioctl to cause a denial of service.

The issue can also affect session cleanup because finish() may act on serialization data structures that were already partially restored, freed, or left in an unexpected state.


Remediation

Install update from vendor's website.