External risk intelligence

Linux kernel could allow internal attacker to crash the system

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-43071

An internal attacker with administrative access to Linux kernel boot configurations could force a system crash or leak sensitive memory data. This flaw compromises system stability and the integrity of the underlying operating environment.

1Halo Surface Signal

Out-of-bounds Read

Linux Kernel

3.10.55 to before 3.113.12.29 to before 3.133.14.19 to before 3.153.16.3 to before 3.173.17.1 to before 6.6.1366.7 to before 6.12.836.13 to before 6.18.246.19 to before 6.19.147.0 t...

External exposure likelihood

Halo Surface Signal score for CVE-2026-43071

This vulnerability requires an administrator to manually apply an obscure, non-standard boot parameter (`dhash_entries=1`) to the Linux kernel. It is not a network-reachable service, does not expose a public interface, and requires local or administrative system access to facilitate the vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This issue in the Linux kernel could allow an attacker to cause a system crash. It occurs when a specific, uncommon configuration setting is used, leading to a read outside of allocated memory.

  • Can cause system instability.
  • Affects systems with a specific configuration.

Attack Path

How an attacker could exploit the issue

An attacker would need local access to a Linux system and the ability to modify kernel boot parameters. By setting `dhash_entries=1`, they could trigger an out-of-bounds read in the kernel's dentry hash table, leading to a kernel crash.

  • Requires local admin access.
  • Target is kernel boot parameter.
  • Causes kernel crash.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability involves an out-of-bounds read in the Linux kernel's dentry hash table, triggered by a specific, non-default kernel parameter. While this could lead to system instability or crashes, it requires an attacker to first gain administrative privileges or otherwise manipulate kernel boot parameters, making direct exploitation for widespread compromise unlikely. The complexity and prerequisites for triggering this flaw suggest it's more of a local privilege escalation or denial-of-service vector for an already compromised system rather than a remote exploit.

  • Requires admin access to set parameter.
  • No public exploit code known.
  • No KEV listing.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize identifying and isolating Linux systems where the `dhash_entries=1` kernel parameter may be configured, as this could lead to critical out-of-bounds read vulnerabilities. Focus on systems with known administrative access or those running specialized services that might utilize custom kernel parameters. Given the complexity of exploitation, containment through parameter modification is a strong mitigation.

  • Block `dhash_entries=1` kernel parameter.
  • Monitor systems for OOB read errors.
  • Upgrade kernel to a fixed version.

Frequently asked questions

What is the Linux kernel and what is it used for?

The Linux kernel is the core component of the Linux operating system. It manages the system's resources, such as the CPU, memory, and devices, and provides essential services for all running applications. It's the foundation upon which the entire Linux operating system is built.

What is the vulnerability in CVE-2026-43071 classified as?

This vulnerability is classified as an out-of-bounds read, identified by CWE-125. It occurs when the Linux kernel attempts to access memory that it has not been allocated, due to a specific configuration of the dentry hash table.

How can the out-of-bounds read vulnerability in CVE-2026-43071 be triggered?

The vulnerability is triggered when the `dhash_entries` kernel parameter is set to '1'. This specific setting causes the kernel to miscalculate memory access for the dentry hash table, leading to an attempt to read from an unallocated memory region. This behavior is not seen if `dhash_entries` is set to two or more.

Who should be concerned about CVE-2026-43071?

Organizations running Linux kernel versions affected by this vulnerability should be concerned. While the vulnerability requires local administrative access and a specific kernel parameter to be exploited, it can lead to system crashes. Its impact is categorized as external due to the potential for system-wide disruption.

What are the first steps to address CVE-2026-43071?

As a first step, administrators should identify Linux systems that might be using the `dhash_entries=1` kernel parameter. Blocking this specific parameter is a key mitigation. Additionally, monitoring systems for out-of-bounds read errors and planning for kernel upgrades to fixed versions are important practical responses.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified