HIGH
vdpa GroupASID OOB
CVE-2026-43248
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.0MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: vhost: move vdpa group bound check to vhost_vdpa Remove duplication by consolidating these here. This reduces the posibility of a parent driver missing them. While we're at it, fix a bug in vdpa_sim where a valid ASID can be assigned to a group equal to ngroups, causing an out of bound write.
02KernelScan AI Analysis
Risk summary
A privileged local attacker with CAP_NET_ADMIN can trigger an out-of-bounds write in the vDPA simulator by providing an invalid group ID to the VHOST_VDPA_SET_GROUP_ASID ioctl. This can corrupt kernel memory and potentially cause system crashes or enable further exploitation in virtualized environments.
Vulnerability analysis
The vulnerability stems from an off-by-one error in bounds checking for vDPA group IDs. The original code checked 'group > ngroups' instead of 'group >= ngroups', allowing a group ID equal to ngroups to pass validation and cause out-of-bounds array access. The fix consolidates bounds checking into the vhost_vdpa layer with proper validation. Attack surface is limited to local privileged users with access to vhost-vdpa device files, typically in virtualization or container environments using vDPA acceleration.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.75 | ddb57354634b |
| 6.18 | 6.18.16 | 7441d35d14d9 |
| 6.19 | 6.19.6 | 406db68f9cb9 |
| mainline | 7.0 | cd025c1e876b |