PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43240 Linux CVE debrief

CVE-2026-43240 is a Linux kernel availability issue in x86 kexec handling. If a second-stage kernel is started with a limiting command line such as mem=<size>, the preserved IMA measurement list from the previous kernel can land outside the usable RAM range. When the kernel tries to restore that list, it can fault and panic during boot. The main risk is loss of system availability and disrupted attestation continuity.

Vendor
Linux
Product
CVE-2026-43240
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-06
Original CVE updated
2026-05-11
Advisory published
2026-05-06
Advisory updated
2026-05-11

Who should care

Linux kernel maintainers, distro security teams, operators using kexec-based reboots, and environments that rely on IMA measurement continuity for attestation or compliance should prioritize this issue, especially on systems that use memory-limiting boot parameters.

Technical summary

NVD describes CVE-2026-43240 as an x86 kexec sanity-check problem in the Linux kernel. When booting a second-stage kernel via kexec with a constrained memory map, the previous kernel’s carried-over IMA kexec buffer can point to a physical range that is no longer backed by RAM. The restore path can then fault in ima_restore_measurement_list(), producing a kernel panic. The issue affects availability only in the supplied CVSS vector, and the published fix adds a range sanity check on x86 similar to checks already used by other architectures, validating the buffer against memory bounds before restoration.

Defensive priority

Medium. The CVSS score is 5.5 (MEDIUM), but the operational impact can be high for systems that depend on uninterrupted booting or attestation workflows.

Recommended defensive actions

  • Apply the upstream/stable Linux kernel fixes referenced by the official patch links.
  • Upgrade to a vendor kernel version that includes the CVE-2026-43240 backport for your branch.
  • Review any systems that use kexec together with IMA and memory-limiting boot parameters such as mem=<size>.
  • Test reboot and attestation workflows after patching to confirm the IMA measurement list still restores correctly.
  • If patching is delayed, assess whether kexec-based reboots can be temporarily avoided on affected x86 systems.
  • Monitor distro security advisories for the specific fixed kernel builds in your supported release train.

Evidence notes

The supplied NVD record marks the issue as analyzed and provides a CVSS vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The description states that the problem occurs when a kexec-booted second-stage kernel uses a limiting command line such as mem=<size>, causing the previous kernel’s IMA measurement list to fall outside truncated RAM and trigger a page fault/panic. NVD lists Linux kernel version ranges affected and links to official kernel patch commits. No exploit details beyond the boot-time fault condition are included.

Official resources

Publicly disclosed in the CVE/NVD record on 2026-05-06; NVD last modified the record on 2026-05-11.