PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43449 Linux CVE debrief

CVE-2026-43449 is a Linux kernel NVMe PCI driver vulnerability that can cause a slab-out-of-bounds read in nvme_dbbuf_set. NVD assigns it CVSS 7.1 HIGH and classifies the weakness as CWE-125. The kernel fix notes state that dev->online_queues is a count incremented in nvme_init_queue, so valid indices are 0 through dev->online_queues - 1, and the loop condition was corrected to stay within that range while excluding index 0 because it is the admin queue.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-21
Advisory published
2026-05-08
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distribution security teams, and operators running systems with NVMe PCI storage should prioritize this issue, especially where kernel updates are managed conservatively and NVMe reset paths may be exercised.

Technical summary

The issue is in drivers/nvme/host/pci.c and is triggered during nvme_dbbuf_set / nvme_dbbuf_free handling. The provided KASAN report shows an out-of-bounds read of size 2 in nvme_dbbuf_free, reached from nvme_dbbuf_set during nvme_reset_work. According to the fix note, the bug came from iterating beyond the valid queue index range because dev->online_queues is a count, not a highest index. NVD lists affected Linux kernel ranges across multiple release lines, including versions before 4.15, 4.20, 5.5, 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, and 6.19.9, plus certain 5.10 and 7.0 release candidates.

Defensive priority

High. The flaw is memory-safety related, reachable in kernel space, and rated HIGH by NVD. Even though the CVSS vector is local and requires low privileges, kernel memory corruption or disclosure issues warrant prompt patching on affected systems.

Recommended defensive actions

  • Apply the vendor kernel patch from the linked stable Git references.
  • Upgrade to a Linux kernel release that includes the fix for your branch.
  • Prioritize patching systems that use NVMe PCI devices or that frequently exercise NVMe reset paths.
  • Verify affected kernel versions against the NVD CPE ranges before scheduling maintenance.
  • Monitor kernel advisories and downstream distribution errata for backported fixes.

Evidence notes

All claims are grounded in the supplied NVD record and the embedded kernel fix note. The KASAN report in the description shows the fault in nvme_dbbuf_set while handling nvme_reset_work. NVD lists the CVSS vector as CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H and the weakness as CWE-125. Reference links in the corpus point to kernel.org stable patch entries, supporting that this is a fixed kernel driver bug rather than an unverified report.

Official resources

CVE published on 2026-05-08T15:16:57.477Z and last modified on 2026-05-21T16:59:20.160Z, based on the supplied CVE and NVD timeline fields.