Bug 2467162 (CVE-2026-43210)

Summary: CVE-2026-43210 kernel: tracing: ring-buffer: Fix to check event length before using
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's tracing ring-buffer subsystem. This vulnerability occurs in the `rb_read_data_buffer()` function, which fails to validate the length of an event before using it to determine the next memory address. If an event's length is corrupted, this can lead to an invalid memory access during system boot, potentially causing a denial of service (DoS) by crashing the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-05-06 13:07:47 UTC 
In the Linux kernel, the following vulnerability has been resolved:

tracing: ring-buffer: Fix to check event length before using

Check the event length before adding it for accessing next index in
rb_read_data_buffer(). Since this function is used for validating
possibly broken ring buffers, the length of the event could be broken.
In that case, the new event (e + len) can point a wrong address.
To avoid invalid memory access at boot, check whether the length of
each event is in the possible range before using it.
Comment 1 Keith Grant 2026-05-06 21:41:49 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050649-CVE-2026-43210-f4dd@gregkh/T