HIGH
loongarch cpumask_of_node OOB
CVE-2026-43212
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.8MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: LoongArch: Make cpumask_of_node() robust against NUMA_NO_NODE The arch definition of cpumask_of_node() cannot handle NUMA_NO_NODE - which is a valid index - so add a check for this.
02KernelScan AI Analysis
Risk summary
On LoongArch systems, cpumask_of_node() performs an out-of-bounds read when passed NUMA_NO_NODE (-1), accessing memory immediately preceding the cpus_on_node[] array. This leaks up to sizeof(cpumask_t) bytes of adjacent kernel memory (C:Low) and can destabilize the system, leading to a kernel crash or panic (A:High).
Vulnerability analysis
The LoongArch-specific cpumask_of_node() macro directly indexes the cpus_on_node[] array without validating the node argument. Because NUMA_NO_NODE is defined as (-1), this results in an out-of-bounds read at cpus_on_node[-1]. The returned invalid cpumask may then be consumed by callers, causing undefined behavior. The fix returns cpu_all_mask for NUMA_NO_NODE, consistent with other architectures. The bug is reachable from unprivileged local contexts (e.g., sysfs topology queries or device enumeration paths) that legitimately pass NUMA_NO_NODE.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.165 | b5bf05e05cdf |
| 6.12 | 6.12.75 | 92adfb707bee |
| 6.18 | 6.18.16 | 61a56df2fbaa |
| 6.19 | 6.19.6 | 1d8f2f024801 |
| 6.6 | 6.6.128 | bb1a54f7f011 |
| mainline | 7.0 | 94b0c831eda7 |