PatchSiren cyber security CVE debrief
CVE-2026-43462 Linux CVE debrief
CVE-2026-43462 is a Linux kernel vulnerability in the Spacemit network driver path. The published fix addresses error handling in emac_tx_mem_map(), where DMA mappings were not being freed when mapping failed. The issue was corrected by reusing the existing emac_free_tx_buf() cleanup path. NVD rates the issue HIGH with a 7.5 CVSS score, reflecting an availability impact.
- Vendor
- Linux
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-08
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-08
- Advisory updated
- 2026-05-20
Who should care
Linux kernel maintainers, distro security teams, embedded/OEM vendors shipping kernels with the Spacemit Ethernet driver, and operators of systems running affected kernel versions should prioritize this advisory.
Technical summary
According to the CVE description and NVD record, the problem is a resource-handling bug in net/spacemit: emac_tx_mem_map() could leak DMA mappings when a mapping error occurred. The fix restores cleanup by calling the existing emac_free_tx_buf() function so failed mappings are released properly. NVD marks the vulnerability as analyzed and lists affected Linux kernel ranges including 6.18 through before 6.18.19, 6.19 through before 6.19.9, and early 7.0 release candidates (rc1 through rc3).
Defensive priority
High. This is a kernel-level availability issue with a published CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Systems using affected kernel builds should be updated or backported promptly, especially where the Spacemit driver is present.
Recommended defensive actions
- Apply the kernel update or vendor backport that includes the emac_tx_mem_map() cleanup fix.
- Confirm whether deployed systems fall within the affected kernel ranges listed by NVD.
- For downstream or embedded builds, verify that the fix was included in the vendor's backport set rather than relying only on upstream version numbers.
- Prioritize systems that use the Spacemit Ethernet driver or related platform builds.
- Track kernel package advisories from your distribution or device vendor for the corresponding patched release.
Evidence notes
All statements are based on the supplied CVE description, NVD record, and the referenced Linux kernel patch links. The CVE was published at 2026-05-08T15:16:59.080Z and modified at 2026-05-20T18:40:51.467Z. NVD lists the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and identifies the issue as NVD-CWE-noinfo. The supplied references point to kernel.org stable patch commits that resolve the error-handling defect.
Official resources
-
CVE-2026-43462 CVE record
CVE.org
-
CVE-2026-43462 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
Publicly disclosed in the CVE/NVD records on 2026-05-08, with NVD metadata updated on 2026-05-20. The supplied patch references indicate the remediation is already available in kernel stable trees.