CVE-2026-43416 Linux CVE debrief

Who should care

Linux kernel maintainers and system administrators running PowerPC-based systems with performance monitoring or BPF tracing enabled; security teams monitoring for kernel stability issues in production environments using eBPF/BCC tooling

Technical summary

The vulnerability occurs in `perf_callchain_user_64()` on PowerPC when walking user-space callchains. The function assumes `current->mm` is valid, but during process teardown or in certain BPF execution contexts, the memory descriptor may be NULL. Accessing `current->mm` without validation causes a NULL pointer dereference. The fix introduces an explicit NULL check before dereferencing `current->mm`, consistent with x86 architecture handling. Additionally, the top-level stack entry capture is moved to the generic `perf_callchain_user()` to ensure stack traces remain useful even when user-space walk is skipped due to NULL `mm`.

Defensive priority

medium

Recommended defensive actions

• Apply the relevant stable kernel patch for your version series: 6.18.x, 6.19.x, or 7.0-rc
• Upgrade to Linux kernel 6.18.19, 6.19.9, or 7.0-rc4 or later when available
• If running BPF profiling tools on PowerPC systems, consider temporarily disabling user-space stack walking until patched
• Monitor kernel logs for 'BUG: Kernel NULL pointer dereference' or 'perf_callchain_user' in stack traces as indicators of exploitation attempts

Evidence notes

The vulnerability description includes a kernel oops trace showing the crash path: `perf_callchain_user_64` → `perf_callchain_user` → `get_perf_callchain` → `bpf_get_stackid` → BPF program. The faulting instruction address and NULL dereference at 0x588 confirm the `mm_struct` access pattern. Three kernel.org stable patches are provided as fixes. CPE data indicates affected versions span Linux 2.6.32 through 6.18.18, 6.19 through 6.19.8, and 7.0-rc1 through rc3.

Official resources