PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43461 Linux CVE debrief

CVE-2026-43461 affects the Linux kernel’s Amlogic SPI flash controller driver path and was published on 2026-05-08, with the record updated on 2026-05-20. The issue is in DMA buffer setup error handling: a failed first mapping returned through an unnecessary cleanup path, a failed info mapping could double-unmap the data mapping, and one unmap used the wrong buffer length. NVD rates the issue as high severity with a local, low-privilege vector, and patch references are available from kernel.org.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-20
Advisory published
2026-05-08
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distribution security teams, and operators of systems that include the Amlogic spifc-a4 SPI flash controller driver, especially on affected 6.18, 6.19, and 7.0 release-candidate branches.

Technical summary

The vulnerable code is aml_sfc_dma_buffer_setup() in the Amlogic SPI driver. According to the supplied record, three error-path bugs were fixed: (1) if the first DMA mapping for sfc->daddr fails, no cleanup is needed and the code should return directly; (2) if the info DMA mapping fails, the code previously unmapped sfc->daddr inline and then fell through to a second unmap of the same mapping; and (3) the out_map_info label used datalen instead of infolen when unmapping sfc->iaddr, which could cause incorrect DMA sync behavior. NVD lists CVSS 3.1 as AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

High — patch promptly on affected kernels, especially if the Amlogic SPI controller driver is present in your build or deployment.

Recommended defensive actions

  • Apply the kernel fixes referenced by the official kernel.org patch links in the NVD record.
  • Backport the fix set to any supported downstream or vendor kernel branches that include the affected Amlogic SPI driver code.
  • Inventory systems that ship the Amlogic spifc-a4 driver and verify whether they run affected Linux kernel versions listed by NVD.
  • Prioritize testing on the NVD-identified vulnerable ranges: 6.18 before 6.18.19, 6.19 before 6.19.9, and 7.0 release candidates rc1 through rc3.
  • Review DMA error-handling paths in downstream copies of the driver to ensure the same double-unmap and length-mismatch patterns are not present.

Evidence notes

Timing context: the CVE was published on 2026-05-08T15:16:58.977Z and modified on 2026-05-20T18:41:12.283Z, matching the supplied timeline. The NVD record marks the issue as analyzed and cites three kernel.org patch references. The supplied NVD criteria identify vulnerable Linux kernel ranges including 6.18 through 6.18.19, 6.19 through 6.19.9, and 7.0 rc1 through rc3. The source description explicitly names the error-path bugs: unnecessary goto on the first mapping failure, double-unmap on info-mapping failure, and use of datalen instead of infolen when unmapping sfc->iaddr.

Official resources

Publicly disclosed through the CVE/NVD record on 2026-05-08, with the record updated on 2026-05-20 to include patch references.