CVE-2026-43331

Source
https://cve.org/CVERecord?id=CVE-2026-43331
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43331.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-43331
Downstream
Published
2026-05-08T13:31:18.787Z
Modified
2026-07-15T01:48:54.901186573Z
Summary
x86/kexec: Disable KCOV instrumentation after load_segments()
Details

In the Linux kernel, the following vulnerability has been resolved:

x86/kexec: Disable KCOV instrumentation after load_segments()

The loadsegments() function changes segment registers, invalidating GS base (which KCOV relies on for per-cpu data). When CONFIGKCOV is enabled, any subsequent instrumented C code call (e.g. nativegdtinvalidate()) begins crashing the kernel in an endless loop.

To reproduce the problem, it's sufficient to do kexec on a KCOV-instrumented kernel:

$ kexec -l /boot/otherKernel $ kexec -e

The real-world context for this problem is enabling crash dump collection in syzkaller. For this, the tool loads a panic kernel before fuzzing and then calls makedumpfile after the panic. This workflow requires both CONFIGKEXEC and CONFIGKCOV to be enabled simultaneously.

Adding safeguards directly to the KCOV fast-path (_sanitizercovtracepc()) is also undesirable as it would introduce an extra performance overhead.

Disabling instrumentation for the individual functions would be too fragile, so disable KCOV instrumentation for the entire machinekexec64.c and physaddr.c. If coverage-guided fuzzing ever needs these components in the future, other approaches should be considered.

The problem is not relevant for 32 bit kernels as CONFIG_KCOV is not supported there.

[ bp: Space out comment for better readability. ]

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43331.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0d345996e4cb573f8cc81d49b3ee9a7fd2035bef
Fixed
0e96cd314c0d819c1635d68125a4d77852c2162e
Fixed
593d67032544b9271094fc9b43e437e017cb2b2f
Fixed
1e3e98596c2769721ade0418434852fb3af4849a
Fixed
de05c66fab8847237a9ca216934e56d3ee837f08
Fixed
917e3ad3321e75ca0223d5ccf26ceda116aa51e1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43331.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.6.0
Fixed
6.6.143
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.93
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.22
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.12

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43331.json"