CVE-2026-43064 Linux CVE debrief

Who should care

Organizations running Linux systems with Intel DSA or IAA hardware enabled, particularly those in data-intensive environments where devices may be frequently attached and detached. Cloud providers and HPC operators using affected kernel versions should prioritize patching.

Technical summary

The dmaengine/idxd driver in the Linux kernel fails to release the workqueue associated with a DSA or IAA device when the device object is freed during .release(). This results in a workqueue leak that can exhaust system resources and cause a local denial of service. The flaw exists in multiple kernel stable branches from 5.11.22 through 6.19.x and the 7.0-rc series. The CVSS 3.1 score is 5.5 (MEDIUM) with local attack vector, low privileges required, and high availability impact. Patches have been committed to stable kernel trees.

Defensive priority

medium

Recommended defensive actions

• Apply the relevant stable kernel patch for your branch (5.12.x, 5.13.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x, or 7.0-rc) once available through your distribution's security updates.
• Monitor distribution security advisories for kernel packages containing the idxd workqueue fix.
• If running affected kernel versions with DSA/IAA hardware enabled, plan maintenance windows for kernel updates to prevent potential workqueue exhaustion under repeated device attach/detach cycles.
• Review systems for unusual workqueue accumulation or memory pressure symptoms that may indicate exploitation attempts.

Evidence notes

CVE description states workqueue is not released on .release(). NVD CPE data confirms affected Linux kernel versions from 5.11.22 through multiple stable branches and 7.0-rc series. Six patch commits are referenced in NVD metadata. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H yields score 5.5 (MEDIUM).

Official resources