{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "99d263d4c5b2f541dfacb5391e22e8c91ea982a6"
            },
            {
              "fixed": "45b06bb5ea96f75ad81d7ef446f832ea6b0026fe"
            },
            {
              "fixed": "426ef05e82ee52c8d0e95fc0808b7383d8352d73"
            },
            {
              "fixed": "ddd57ebce245f9c7e2f6902a6c087d6186d2385d"
            },
            {
              "fixed": "755b40903eff563768d4d96fd4ef51ec48adde3b"
            },
            {
              "fixed": "5718df131ab78897a9dd1f2e71c3ba732d4392af"
            },
            {
              "fixed": "277cedabb0ab86baae83fa58218be13c6d3e5526"
            },
            {
              "fixed": "f08fe8891c3eeb63b73f9f1f6d97aa629c821579"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "d4c96061fddd129778ce8b70fb093aa532f422d0"
            },
            {
              "last_affected": "be2378cbffe50ce0161f0fdee914adee98af53dc"
            },
            {
              "last_affected": "a8be8af18485f9fade90e1743d940252a39eec84"
            },
            {
              "last_affected": "b5cf3193759f7cd1cfbeef11f5cf067bbce22e55"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "3.10.55"
            },
            {
              "fixed": "3.11"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "3.12.29"
            },
            {
              "fixed": "3.13"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "3.14.19"
            },
            {
              "fixed": "3.15"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "3.16.3"
            },
            {
              "fixed": "3.17"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.17.0"
            },
            {
              "fixed": "6.1.175"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.136"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.83"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.24"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.14"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.20.0"
            },
            {
              "fixed": "7.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43071.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndcache: Limit the minimal number of bucket to two\n\nThere is an OOB read problem on dentry_hashtable when user sets\n'dhash_entries=1':\n  BUG: unable to handle page fault for address: ffff888b30b774b0\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  Oops: Oops: 0000 [#1] SMP PTI\n  RIP: 0010:__d_lookup+0x56/0x120\n   Call Trace:\n    d_lookup.cold+0x16/0x5d\n    lookup_dcache+0x27/0xf0\n    lookup_one_qstr_excl+0x2a/0x180\n    start_dirop+0x55/0xa0\n    simple_start_creating+0x8d/0xa0\n    debugfs_start_creating+0x8c/0x180\n    debugfs_create_dir+0x1d/0x1c0\n    pinctrl_init+0x6d/0x140\n    do_one_initcall+0x6d/0x3d0\n    kernel_init_freeable+0x39f/0x460\n    kernel_init+0x2a/0x260\n\nThere will be only one bucket in dentry_hashtable when dhash_entries is\nset as one, and d_hash_shift is calculated as 32 by dcache_init(). Then,\nfollowing process will access more than one buckets(which memory region\nis not allocated) in dentry_hashtable:\n d_lookup\n  b = d_hash(hash)\n    dentry_hashtable + ((u32)hashlen \u003e\u003e d_hash_shift)\n    // The C standard defines the behavior of right shift amounts\n    // exceeding the bit width of the operand as undefined. The\n    // result of '(u32)hashlen \u003e\u003e d_hash_shift' becomes 'hashlen',\n    // so 'b' will point to an unallocated memory region.\n  hlist_bl_for_each_entry_rcu(b)\n   hlist_bl_first_rcu(head)\n    h-\u003efirst  // read OOB!\n\nFix it by limiting the minimal number of dentry_hashtable bucket to two,\nso that 'd_hash_shift' won't exceeds the bit width of type u32.",
  "id": "CVE-2026-43071",
  "modified": "2026-07-08T05:38:09.808890736Z",
  "published": "2026-05-05T15:29:28.081Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/277cedabb0ab86baae83fa58218be13c6d3e5526"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/426ef05e82ee52c8d0e95fc0808b7383d8352d73"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/45b06bb5ea96f75ad81d7ef446f832ea6b0026fe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5718df131ab78897a9dd1f2e71c3ba732d4392af"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/755b40903eff563768d4d96fd4ef51ec48adde3b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ddd57ebce245f9c7e2f6902a6c087d6186d2385d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f08fe8891c3eeb63b73f9f1f6d97aa629c821579"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43071.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43071"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "dcache: Limit the minimal number of bucket to two"
}