Bug 2464479 (CVE-2026-43034)

Summary:	CVE-2026-43034 kernel: bnxt_en: set backing store type from query type
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security <prodsec-ir-bot>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	rhel-process-autobot, watson-tool-maintainers
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A flaw was found in the `bnxt_en` driver within the Linux kernel. This vulnerability arises from the `bnxt_hwrm_func_backing_store_qcaps_v2()` function using an incorrect type value from the firmware response to index internal data arrays. This improper indexing could lead to memory corruption, potentially causing system instability or a Denial of Service (DoS).	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-05-01 15:09:07 UTC

In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: set backing store type from query type

bnxt_hwrm_func_backing_store_qcaps_v2() stores resp->type from the
firmware response in ctxm->type and later uses that value to index
fixed backing-store metadata arrays such as ctx_arr[] and
bnxt_bstore_to_trace[].

ctxm->type is fixed by the current backing-store query type and matches
the array index of ctx->ctx_arr. Set ctxm->type from the current loop
variable instead of depending on resp->type.

Also update the loop to advance type from next_valid_type in the for
statement, which keeps the control flow simpler for non-valid and
unchanged entries.

Comment 1 Keith Grant 2026-05-01 17:39:26 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050102-CVE-2026-43034-f539@gregkh/T