Improper input validation in Linux kernel - CVE-2026-43130
Published: May 7, 2026
Vulnerability identifier: #VU130604
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-43130
CWE-ID: CWE-20
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper device state validation in dev-IOTLB flushing logic when detaching or releasing a PCIe device in scalable mode after the device link goes down. A local user can trigger device teardown for an inaccessible PCIe device to cause a denial of service.
The issue can hard-lock the system while releasing resources after a VM fails to connect to the PCIe device.
How to mitigate CVE-2026-43130
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/01aed2f1d7cb8fdf4c60c5bb4727608cb82b401d
- https://git.kernel.org/stable/c/0da6697e577023d8867c7beb2d16a22510e4eea9
- https://git.kernel.org/stable/c/10e60d87813989e20eac1f3eda30b3bae461e7f9
- https://git.kernel.org/stable/c/581ce094d9eafb78ec4f9de77bd24b780c151236
- https://git.kernel.org/stable/c/9813306610d0d718c863aaa70928bf57d7570ec0
- https://git.kernel.org/stable/c/9deaacc8dcaddb6ddc5b52e1e63b457450ec0f94
- https://git.kernel.org/stable/c/e2c78c69f8faf2885ea4ceee08c71ac738f401a0
- https://git.kernel.org/stable/c/ead67d0378e90f419e385a43af29435242d80c12