HIGH Published 2026-05-06

perf/arm-cmn Hardware Overflow

CVE-2026-43150

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI6.1MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: perf/arm-cmn: Reject unsupported hardware configurations So far we've been fairly lax about accepting both unknown CMN models (at least with a warning), and unknown revisions of those which we do know, as although things do frequently change between releases, typically enough remains the same to be somewhat useful for at least some basic bringup checks. However, we also make assumptions of the maximum supported sizes and numbers of things in various places, and there's no guarantee that something new might not be bigger and lead to nasty array overflows. Make sure we only try to run on things that actually match our assumptions and so will not risk memory corruption. We have at least always failed on completely unknown node types, so update that error message for clarity and consistency too.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Systems with ARM CMN (Coherent Mesh Network) hardware running newer or unsupported CMN configurations are vulnerable to kernel memory corruption. The vulnerability allows array overflows when the hardware reports node counts or mesh dimensions larger than the driver's hardcoded assumptions, potentially leading to kernel memory corruption and system crashes or boot failures.

Affecteddrivers/perf/arm-cmn.c (ARM CMN performance monitoring)

Vulnerability analysis

The root cause is insufficient validation of hardware-reported CMN configuration parameters against driver assumptions. The arm-cmn driver makes hardcoded assumptions about maximum node counts (CMN_MAX_NODES_PER_EVENT) and mesh dimensions (CMN_MAX_DIMENSION) but did not validate that actual hardware configurations stay within these bounds. When newer CMN hardware reports larger values, the driver proceeds to use these values as array indices, leading to out-of-bounds writes of kernel memory. The fix adds explicit validation checks that reject configurations exceeding the driver's supported limits, preventing memory corruption by failing gracefully with -ENODEV when unsupported hardware is detected.

03Fix Versions

Branch	Fixed in	Patch commit
6.1	6.1.165	`7e2c200010aa`
6.12	6.12.75	`00d69f21ef2a`
6.18	6.18.16	`08c7eadd8a93`
6.19	6.19.6	`a251d866f50b`
6.6	6.6.128	`d3e837e11ee9`
mainline	7.0	`36c0de02575c`