dcache: Limit the minimal number of bucket to two

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

dcache: Limit the minimal number of bucket to two

There is an OOB read problem on dentry_hashtable when user sets
'dhash_entries=1':
BUG: unable to handle page fault for address: ffff888b30b774b0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
Oops: Oops: 0000 [#1] SMP PTI
RIP: 0010:__d_lookup+0x56/0x120
Call Trace:
d_lookup.cold+0x16/0x5d
lookup_dcache+0x27/0xf0
lookup_one_qstr_excl+0x2a/0x180
start_dirop+0x55/0xa0
simple_start_creating+0x8d/0xa0
debugfs_start_creating+0x8c/0x180
debugfs_create_dir+0x1d/0x1c0
pinctrl_init+0x6d/0x140
do_one_initcall+0x6d/0x3d0
kernel_init_freeable+0x39f/0x460
kernel_init+0x2a/0x260

There will be only one bucket in dentry_hashtable when dhash_entries is
set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then,
following process will access more than one buckets(which memory region
is not allocated) in dentry_hashtable:
d_lookup
b = d_hash(hash)
dentry_hashtable + ((u32)hashlen >> d_hash_shift)
// The C standard defines the behavior of right shift amounts
// exceeding the bit width of the operand as undefined. The
// result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',
// so 'b' will point to an unallocated memory region.
hlist_bl_for_each_entry_rcu(b)
hlist_bl_first_rcu(head)
h->first // read OOB!

Fix it by limiting the minimal number of dentry_hashtable bucket to two,
so that 'd_hash_shift' won't exceeds the bit width of type u32.

AI Analysis

AI processing failed - invalid JSON response

Basic Information

ID CVE-2026-43071

Source Linux

Published May 5, 2026 at 15:29

Modified May 8, 2026 at 12:40

Affected Product

Vendor Linux

Product Linux

Version 99d263d4c5b2f541dfacb5391e22e8c91ea982a6

Affected Versions Linux Linux 99d263d4c5b2f541dfacb5391e22e8c91ea982a6
Linux Linux 99d263d4c5b2f541dfacb5391e22e8c91ea982a6
Linux Linux 99d263d4c5b2f541dfacb5391e22e8c91ea982a6
Linux Linux 99d263d4c5b2f541dfacb5391e22e8c91ea982a6
Linux Linux 99d263d4c5b2f541dfacb5391e22e8c91ea982a6
Linux Linux 99d263d4c5b2f541dfacb5391e22e8c91ea982a6
Linux Linux d4c96061fddd129778ce8b70fb093aa532f422d0
Linux Linux be2378cbffe50ce0161f0fdee914adee98af53dc
Linux Linux a8be8af18485f9fade90e1743d940252a39eec84
Linux Linux b5cf3193759f7cd1cfbeef11f5cf067bbce22e55
Linux Linux 3.17

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndcache: Limit the minimal number of bucket to two\n\nThere is an OOB read problem on dentry_hashtable when user sets\n'dhash_entries=1':\n  BUG: unable to handle page fault for address: ffff888b30b774b0\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  Oops: Oops: 0000 [#1] SMP PTI\n  RIP: 0010:__d_lookup+0x56/0x120\n   Call Trace:\n    d_lookup.cold+0x16/0x5d\n    lookup_dcache+0x27/0xf0\n    lookup_one_qstr_excl+0x2a/0x180\n    start_dirop+0x55/0xa0\n    simple_start_creating+0x8d/0xa0\n    debugfs_start_creating+0x8c/0x180\n    debugfs_create_dir+0x1d/0x1c0\n    pinctrl_init+0x6d/0x140\n    do_one_initcall+0x6d/0x3d0\n    kernel_init_freeable+0x39f/0x460\n    kernel_init+0x2a/0x260\n\nThere will be only one bucket in dentry_hashtable when dhash_entries is\nset as one, and d_hash_shift is calculated as 32 by dcache_init(). Then,\nfollowing process will access more than one buckets(which memory region\nis not allocated) in dentry_hashtable:\n d_lookup\n  b = d_hash(hash)\n    dentry_hashtable + ((u32)hashlen >> d_hash_shift)\n    // The C standard defines the behavior of right shift amounts\n    // exceeding the bit width of the operand as undefined. The\n    // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',\n    // so 'b' will point to an unallocated memory region.\n  hlist_bl_for_each_entry_rcu(b)\n   hlist_bl_first_rcu(head)\n    h->first  // read OOB!\n\nFix it by limiting the minimal number of dentry_hashtable bucket to two,\nso that 'd_hash_shift' won't exceeds the bit width of type u32.",
    "published": "2026-05-05T15:29:28.081Z",
    "modified": "2026-05-08T12:40:21.054Z",
    "type": "cve",
    "title": "dcache: Limit the minimal number of bucket to two",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/426ef05e82ee52c8d0e95fc0808b7383d8352d73\nhttps://git.kernel.org/stable/c/ddd57ebce245f9c7e2f6902a6c087d6186d2385d\nhttps://git.kernel.org/stable/c/755b40903eff563768d4d96fd4ef51ec48adde3b\nhttps://git.kernel.org/stable/c/5718df131ab78897a9dd1f2e71c3ba732d4392af\nhttps://git.kernel.org/stable/c/277cedabb0ab86baae83fa58218be13c6d3e5526\nhttps://git.kernel.org/stable/c/f08fe8891c3eeb63b73f9f1f6d97aa629c821579",
    "id": "CVE-2026-43071",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 99d263d4c5b2f541dfacb5391e22e8c91ea982a6\nLinux Linux 99d263d4c5b2f541dfacb5391e22e8c91ea982a6\nLinux Linux 99d263d4c5b2f541dfacb5391e22e8c91ea982a6\nLinux Linux 99d263d4c5b2f541dfacb5391e22e8c91ea982a6\nLinux Linux 99d263d4c5b2f541dfacb5391e22e8c91ea982a6\nLinux Linux 99d263d4c5b2f541dfacb5391e22e8c91ea982a6\nLinux Linux d4c96061fddd129778ce8b70fb093aa532f422d0\nLinux Linux be2378cbffe50ce0161f0fdee914adee98af53dc\nLinux Linux a8be8af18485f9fade90e1743d940252a39eec84\nLinux Linux b5cf3193759f7cd1cfbeef11f5cf067bbce22e55\nLinux Linux 3.17",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "99d263d4c5b2f541dfacb5391e22e8c91ea982a6",
    "vendor": "Linux",
    "ai_description": "AI processing failed - invalid JSON response",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

dcache: Limit the minimal number of bucket to two_CVE-2026-43071