PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43413 Linux CVE debrief

CVE-2026-43413 is a Linux kernel vulnerability in the hisi_sas SCSI driver that can crash the system during a user-initiated scan. The issue stems from the updated sas_user_scan() path iterating over channel 1 on hardware that supports only one channel, leading to a NULL pointer dereference and kernel Oops. NVD rates the issue as medium severity with local attack requirements and high availability impact.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-21
Advisory published
2026-05-08
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distribution security teams, and operators of systems using hisi_sas storage hardware should care most. Administrators who allow privileged users or automation to trigger SCSI scan operations should treat this as a stability issue that can become a local denial of service.

Technical summary

The supplied kernel report says user_scan() calls the updated sas_user_scan() for channel 0 and then scans additional channels up to shost->max_channel. On hisi_sas, max_channel is 1 even though the driver supports only one channel, so the follow-on scan for channel 1 reaches sas_find_dev_by_rphy() with a NULL rphy and dereferences invalid memory. The observed result is a kernel NULL pointer dereference in the sas_target_alloc()/scsi_scan_host_selected() path, which affects availability but does not indicate confidentiality or integrity impact in the supplied CVSS data.

Defensive priority

High for affected systems using the hisi_sas driver, because the bug can reliably crash the kernel from a local scan path and interrupt storage or host availability. Priority is especially elevated on production hosts where local privileged access is shared, automated, or exposed to operational tooling that can write to the scan interface.

Recommended defensive actions

  • Apply the Linux kernel fixes referenced in the supplied official patch links and move to a kernel release that includes the remediation.
  • If immediate patching is not possible, restrict which local users and automation can trigger SCSI scan operations on affected hosts.
  • Review systems using hisi_sas for kernel Oops events or repeated scan-triggered crashes, especially around sysfs write activity.
  • Use the NVD version ranges in the supplied corpus to identify affected kernel branches and plan upgrades accordingly.

Evidence notes

All claims are drawn from the supplied CVE record and NVD metadata. The description states that hisi_sas supports only one channel, that sas_user_scan() iterates remaining channels after channel 0, and that channel 1 triggers a NULL pointer exception. The supplied call trace shows the failure in sas_find_dev_by_rphy() via sas_target_alloc(), scsi_scan_host_selected(), and sas_user_scan(). NVD lists CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, CWE-476, and affected Linux kernel version ranges ending before 6.6.130, 6.12.78, 6.18.19, and 6.19.9, plus 7.0 rc1-rc3.

Official resources

CVE published on 2026-05-08 and last modified on 2026-05-21, per the supplied timeline. The supplied NVD entry is marked analyzed and includes patch references from the Linux kernel stable tree.