PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43071 Linux CVE debrief

A critical out-of-bounds (OOB) read vulnerability exists in the Linux kernel's dentry cache (dcache) subsystem, triggered when a user sets the kernel boot parameter `dhash_entries=1`. This configuration causes the dentry hash table to be allocated with only a single bucket. The `d_hash_shift` value is then calculated as 32 by `dcache_init()`. During dentry lookup operations in `__d_lookup()`, the hash index computation `(u32)hashlen >> d_hash_shift` performs a right shift by 32 bits on a 32-bit unsigned integer. Per the C standard, shifting by an amount equal to or greater than the operand's bit width is undefined behavior; in practice, this results in the original `hashlen` value being used as the bucket index, causing access to unallocated memory beyond the single-bucket hash table. The OOB read manifests as a kernel page fault during early boot when debugfs or other subsystems attempt to create directories, as shown in the call trace through `debugfs_create_dir` → `simple_start_creating` → `start_dirop` → `lookup_one_qstr_excl` → `lookup_dcache` → `d_lookup.cold` → `__d_lookup`. The fix enforces a minimum of two buckets for `dentry_hashtable`, ensuring `d_hash_shift` never reaches 32 and remains within valid shift bounds for a `u32` type. This vulnerability is remotely exploitable in network-facing kernel contexts where attackers may influence dentry operations, with high impact to confidentiality and availability.

Vendor
Linux
Product
Unknown
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-05
Original CVE updated
2026-05-29
Advisory published
2026-05-05
Advisory updated
2026-05-29

Who should care

Linux kernel maintainers, system administrators, cloud infrastructure operators, embedded device manufacturers, and security teams responsible for kernel hardening and boot-time security

Technical summary

The Linux kernel's dcache_init() function computes d_hash_shift based on the number of dentry_hashtable buckets, which is derived from the dhash_entries boot parameter. When dhash_entries=1, only one bucket is allocated and d_hash_shift becomes 32. In __d_lookup(), the bucket index is computed as (u32)hashlen >> d_hash_shift. A right shift of a 32-bit unsigned integer by 32 bits is undefined behavior in C; on affected compilers and architectures, this evaluates to the unshifted hashlen value, producing an index far beyond the allocated single bucket. The subsequent hlist_bl_for_each_entry_rcu() iteration dereferences h->first on this invalid bucket pointer, causing a page fault and kernel Oops. The fix limits the minimum bucket count to two, ensuring d_hash_shift is at most 31 and the shift operation remains well-defined.

Defensive priority

critical

Recommended defensive actions

  • Apply the appropriate stable kernel patch from the Linux kernel stable tree to enforce a minimum of two dentry_hashtable buckets
  • Audit boot parameters across all Linux systems to identify any use of dhash_entries=1 and remove or modify such configurations until patched
  • Prioritize patching for systems with network-exposed kernel interfaces or untrusted user namespaces where dentry operations may be attacker-influenced
  • Monitor for kernel page faults in __d_lookup or d_lookup.cold as potential indicators of exploitation attempts or misconfigurations
  • Review kernel crash dumps and early-boot logs for Oops traces involving dentry_hashtable access on systems with non-default dhash_entries values

Evidence notes

The vulnerability description and patch references confirm the root cause: undefined behavior from a 32-bit right shift on a u32 when dhash_entries=1 causes d_hash_shift=32, leading to OOB memory access in dentry_hashtable during __d_lookup(). The call trace demonstrates exploitation path through debugfs directory creation at boot. Multiple stable kernel patches are available across affected branches.

Official resources

2026-05-05T16:16:16.420Z