PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43486 Linux CVE debrief

CVE-2026-43486 is a Linux kernel arm64 contpte bug in access-flag handling. The issue can make a sub-PTE appear updated when only a sibling entry changed, which can stop the kernel from applying the needed read/write state to the actual faulting descriptor and lead to repeated faults.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-13
Original CVE updated
2026-05-13
Advisory published
2026-05-13
Advisory updated
2026-05-13

Who should care

Linux kernel maintainers, distro security teams, and operators running arm64 systems that use contiguous PTEs, especially where faults may be handled by SMMU/ATS walkers or hardware that does not use FEAT_HAFDBS-style gathered behavior.

Technical summary

The reported bug is in contpte_ptep_set_access_flags(). It previously compared a gathered ptep_get() view against the requested entry to decide whether the operation was a no-op. Because ptep_get() ORs access-flag/dirty state across all sub-PTEs in the CONT block, a dirty or updated sibling could make the target look already updated even when that target sub-PTE still had PTE_RDONLY set or still lacked PTE_AF. That is safe for CPUs with FEAT_HAFDBS, but it is not safe for page-table walkers that evaluate each descriptor individually, such as some SMMU paths or CPUs without the relevant hardware behavior. The fix checks each sub-PTE’s raw values against the requested access state before returning no-op, and keeps using the raw target PTE for the write-bit decision.

Defensive priority

High for affected arm64 Linux environments. The flaw can cause persistent fault re-triggers rather than a one-time access update, which is an availability issue and can stall affected workloads or devices.

Recommended defensive actions

  • Apply the upstream Linux kernel fix referenced by the stable commit links in the CVE record.
  • Backport the correction if you maintain an arm64 kernel that uses contiguous PTE mappings.
  • Prioritize testing on systems using SMMU/ATS, CPUs without FEAT_HAFDBS-style gathered behavior, or configurations where HA/HD are disabled.
  • Verify that your kernel branch includes the raw per-PTE access-flag checks introduced for contpte set_access_flags().
  • Monitor for repeated page-fault or I/O fault logs on arm64 systems that use contiguous mappings, especially after access-flag updates.

Evidence notes

This debrief is based only on the supplied CVE description, timeline, and official references. The CVE record shows a published/modified date of 2026-05-13T16:16:51.880Z and provides four Linux kernel stable commit references. No CVSS score, vector, or CWE was supplied in the source corpus.

Official resources

Publicly disclosed in the CVE record on 2026-05-13T16:16:51.880Z, with Linux kernel stable references supplied in the official NVD record.