Bug 2468157 (CVE-2026-43445) - CVE-2026-43445 kernel: e1000/e1000e: Fix leak in DMA error cleanup
Summary: CVE-2026-43445 kernel: e1000/e1000e: Fix leak in DMA error cleanup
Keywords:
Status: NEW
Alias: CVE-2026-43445
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-08 15:02 UTC by OSIDB Bzimport
Modified: 2026-05-09 00:28 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-08 15:02:09 UTC 
In the Linux kernel, the following vulnerability has been resolved:

e1000/e1000e: Fix leak in DMA error cleanup

If an error is encountered while mapping TX buffers, the driver should
unmap any buffers already mapped for that skb.

Because count is incremented after a successful mapping, it will always
match the correct number of unmappings needed when dma_error is reached.
Decrementing count before the while loop in dma_error causes an
off-by-one error. If any mapping was successful before an unsuccessful
mapping, exactly one DMA mapping would leak.

In these commits, a faulty while condition caused an infinite loop in
dma_error:
Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000e
driver")
Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver")

Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of
unsigned in *_tx_map()") fixed the infinite loop, but introduced the
off-by-one error.

This issue may still exist in the igbvf driver, but I did not address it
in this patch.
Comment 1 Keith Grant 2026-05-09 00:25:14 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050855-CVE-2026-43445-4e53@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.