CVE-2026-43368

Source
https://cve.org/CVERecord?id=CVE-2026-43368
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43368.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-43368
Downstream
Published
2026-05-08T14:21:20.500Z
Modified
2026-07-15T01:49:18.832180254Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
drm/i915: Fix potential overflow of shmem scatterlist length
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/i915: Fix potential overflow of shmem scatterlist length

When a scatterlists table of a GEM shmem object of size 4 GB or more is populated with pages allocated from a folio, unsigned int .length attribute of a scatterlist may get overflowed if total byte length of pages allocated to that single scatterlist happens to reach or cross the 4GB limit. As a consequence, users of the object may suffer from hitting unexpected, premature end of the object's backing pages.

[278.780187] ------------[ cut here ]------------ [278.780377] WARNING: CPU: 1 PID: 2326 at drivers/gpu/drm/i915/i915mm.c:55 remapsg+0x199/0x1d0 [i915] ... [278.780654] CPU: 1 UID: 0 PID: 2326 Comm: gemmmapoffset Tainted: G S U 6.17.0-rc1-CIDRM16981-ged823aaa0607+ #1 PREEMPT(voluntary) [278.780656] Tainted: [S]=CPUOUTOFSPEC, [U]=USER [278.780658] Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P LP5x T3 RVP, BIOS MTLPFWI1.R00.3471.D91.2401310918 01/31/2024 [278.780659] RIP: 0010:remapsg+0x199/0x1d0 [i915] ... [278.780786] Call Trace: [278.780787] <TASK> [278.780788] ? __applytopage_range+0x3e6/0x910 [278.780795] ? __pfxremapsg+0x10/0x10 [i915] [278.780906] apply_topagerange+0x14/0x30 [278.780908] remapiosg+0x14d/0x260 [i915] [278.781013] vmfaultcpu+0xd2/0x330 [i915] [278.781137] __dofault+0x3a/0x1b0 [278.781140] dofault+0x322/0x640 [278.781143] __handlemmfault+0x938/0xfd0 [278.781150] handlemmfault+0x12c/0x300 [278.781152] ? lockmmandfindvma+0x4b/0x760 [278.781155] douseraddrfault+0x2d6/0x8e0 [278.781160] excpagefault+0x96/0x2c0 [278.781165] asmexcpagefault+0x27/0x30 ...

That issue was apprehended by the author of a change that introduced it, and potential risk even annotated with a comment, but then never addressed.

When adding folio pages to a scatterlist table, take care of byte length of any single scatterlist not exceeding max_segment.

(cherry picked from commit 06249b4e691a75694c014a61708c007fb5755f60)

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43368.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0b62af28f249b9c4036a05acfb053058dc02e2e2
Fixed
aeb7255531ba4a5c3a64938577170d08b78de399
Fixed
1c956f0fccc26fefcbb507516c49d1db41c40471
Fixed
eae4bf4107571283031db96ce132e951615e2ae4
Fixed
21a301f12d18797bf889c15497f922edfdaece3a
Fixed
029ae067431ab9d0fca479bdabe780fa436706ea

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43368.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.5.0
Fixed
6.6.130
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.78
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.19
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43368.json"