CVE-2026-43248 Linux CVE debrief

Who should care

Linux kernel maintainers, distribution security teams, and operators running kernels in the affected version ranges should prioritize this advisory. Environments using vhost, vDPA, or vdpa_sim are most directly relevant, especially where local users or guest-adjacent workflows can reach the affected kernel paths.

Technical summary

The core issue is a missing or inconsistently applied bounds check around vdpa group handling. According to the CVE description, moving the check into vhost_vdpa reduces the chance that a parent driver omits it, and vdpa_sim had an off-by-one style condition where a group equal to ngroups could still be treated as valid. NVD maps the weakness to CWE-787 (out-of-bounds write) and lists affected Linux kernel ranges as 5.19 through versions before 6.12.75, 6.13 through before 6.18.16, and 6.19 through before 6.19.6.

Defensive priority

High

Recommended defensive actions

• Apply the Linux kernel updates that include the documented fixes.
• Prioritize patching systems in the affected kernel version ranges listed by NVD.
• Pay special attention to hosts using vhost, vDPA, or vdpa_sim functionality.
• If immediate patching is not possible, reduce exposure by limiting local user access on affected systems.
• Verify that downstream vendor kernels have backported the relevant patches.
• Track the linked kernel patch references to confirm the fix is present in your build stream.

Evidence notes

This debrief is based on the supplied NVD analyzed record, the CVE description, and the linked kernel patch references. The corpus shows no KEV entry and no supplied evidence of exploitation or ransomware use. Impact, severity, weakness class, and affected version ranges are taken from the official NVD metadata; the specific bug description comes from the CVE text.

Official resources