CVE-2026-43489 (GCVE-0-2026-43489)

Vulnerability from cvelistv5 – Published: 2026-05-13 15:08 – Updated: 2026-05-13 15:08
VLAI?
Title
liveupdate: luo_file: remember retrieve() status
Summary
In the Linux kernel, the following vulnerability has been resolved: liveupdate: luo_file: remember retrieve() status LUO keeps track of successful retrieve attempts on a LUO file. It does so to avoid multiple retrievals of the same file. Multiple retrievals cause problems because once the file is retrieved, the serialized data structures are likely freed and the file is likely in a very different state from what the code expects. The retrieve boolean in struct luo_file keeps track of this, and is passed to the finish callback so it knows what work was already done and what it has left to do. All this works well when retrieve succeeds. When it fails, luo_retrieve_file() returns the error immediately, without ever storing anywhere that a retrieve was attempted or what its error code was. This results in an errored LIVEUPDATE_SESSION_RETRIEVE_FD ioctl to userspace, but nothing prevents it from trying this again. The retry is problematic for much of the same reasons listed above. The file is likely in a very different state than what the retrieve logic normally expects, and it might even have freed some serialization data structures. Attempting to access them or free them again is going to break things. For example, if memfd managed to restore 8 of its 10 folios, but fails on the 9th, a subsequent retrieve attempt will try to call kho_restore_folio() on the first folio again, and that will fail with a warning since it is an invalid operation. Apart from the retry, finish() also breaks. Since on failure the retrieved bool in luo_file is never touched, the finish() call on session close will tell the file handler that retrieve was never attempted, and it will try to access or free the data structures that might not exist, much in the same way as the retry attempt. There is no sane way of attempting the retrieve again. Remember the error retrieve returned and directly return it on a retry. Also pass this status code to finish() so it can make the right decision on the work it needs to do. This is done by changing the bool to an integer. A value of 0 means retrieve was never attempted, a positive value means it succeeded, and a negative value means it failed and the error code is the value.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 7c722a7f44e0c1f9714084152226bc7bd644b7e3 , < 1d3ad69484dc1cc53be62d2554e7ef038a627af9 (git)
Affected: 7c722a7f44e0c1f9714084152226bc7bd644b7e3 , < f85b1c6af5bc3872f994df0a5688c1162de07a62 (git)
Create a notification for this product.
Linux Linux Affected: 6.19
Unaffected: 0 , < 6.19 (semver)
Unaffected: 6.19.9 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/liveupdate.h",
            "kernel/liveupdate/luo_file.c",
            "mm/memfd_luo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1d3ad69484dc1cc53be62d2554e7ef038a627af9",
              "status": "affected",
              "version": "7c722a7f44e0c1f9714084152226bc7bd644b7e3",
              "versionType": "git"
            },
            {
              "lessThan": "f85b1c6af5bc3872f994df0a5688c1162de07a62",
              "status": "affected",
              "version": "7c722a7f44e0c1f9714084152226bc7bd644b7e3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/liveupdate.h",
            "kernel/liveupdate/luo_file.c",
            "mm/memfd_luo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.19"
            },
            {
              "lessThan": "6.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.9",
                  "versionStartIncluding": "6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nliveupdate: luo_file: remember retrieve() status\n\nLUO keeps track of successful retrieve attempts on a LUO file.  It does so\nto avoid multiple retrievals of the same file.  Multiple retrievals cause\nproblems because once the file is retrieved, the serialized data\nstructures are likely freed and the file is likely in a very different\nstate from what the code expects.\n\nThe retrieve boolean in struct luo_file keeps track of this, and is passed\nto the finish callback so it knows what work was already done and what it\nhas left to do.\n\nAll this works well when retrieve succeeds.  When it fails,\nluo_retrieve_file() returns the error immediately, without ever storing\nanywhere that a retrieve was attempted or what its error code was.  This\nresults in an errored LIVEUPDATE_SESSION_RETRIEVE_FD ioctl to userspace,\nbut nothing prevents it from trying this again.\n\nThe retry is problematic for much of the same reasons listed above.  The\nfile is likely in a very different state than what the retrieve logic\nnormally expects, and it might even have freed some serialization data\nstructures.  Attempting to access them or free them again is going to\nbreak things.\n\nFor example, if memfd managed to restore 8 of its 10 folios, but fails on\nthe 9th, a subsequent retrieve attempt will try to call\nkho_restore_folio() on the first folio again, and that will fail with a\nwarning since it is an invalid operation.\n\nApart from the retry, finish() also breaks.  Since on failure the\nretrieved bool in luo_file is never touched, the finish() call on session\nclose will tell the file handler that retrieve was never attempted, and it\nwill try to access or free the data structures that might not exist, much\nin the same way as the retry attempt.\n\nThere is no sane way of attempting the retrieve again.  Remember the error\nretrieve returned and directly return it on a retry.  Also pass this\nstatus code to finish() so it can make the right decision on the work it\nneeds to do.\n\nThis is done by changing the bool to an integer.  A value of 0 means\nretrieve was never attempted, a positive value means it succeeded, and a\nnegative value means it failed and the error code is the value."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T15:08:33.810Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1d3ad69484dc1cc53be62d2554e7ef038a627af9"
        },
        {
          "url": "https://git.kernel.org/stable/c/f85b1c6af5bc3872f994df0a5688c1162de07a62"
        }
      ],
      "title": "liveupdate: luo_file: remember retrieve() status",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43489",
    "datePublished": "2026-05-13T15:08:33.810Z",
    "dateReserved": "2026-05-01T14:12:56.012Z",
    "dateUpdated": "2026-05-13T15:08:33.810Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43489",
      "date": "2026-05-20",
      "epss": "0.00024",
      "percentile": "0.06869"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43489\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-13T16:16:52.230\",\"lastModified\":\"2026-05-13T16:16:52.230\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nliveupdate: luo_file: remember retrieve() status\\n\\nLUO keeps track of successful retrieve attempts on a LUO file.  It does so\\nto avoid multiple retrievals of the same file.  Multiple retrievals cause\\nproblems because once the file is retrieved, the serialized data\\nstructures are likely freed and the file is likely in a very different\\nstate from what the code expects.\\n\\nThe retrieve boolean in struct luo_file keeps track of this, and is passed\\nto the finish callback so it knows what work was already done and what it\\nhas left to do.\\n\\nAll this works well when retrieve succeeds.  When it fails,\\nluo_retrieve_file() returns the error immediately, without ever storing\\nanywhere that a retrieve was attempted or what its error code was.  This\\nresults in an errored LIVEUPDATE_SESSION_RETRIEVE_FD ioctl to userspace,\\nbut nothing prevents it from trying this again.\\n\\nThe retry is problematic for much of the same reasons listed above.  The\\nfile is likely in a very different state than what the retrieve logic\\nnormally expects, and it might even have freed some serialization data\\nstructures.  Attempting to access them or free them again is going to\\nbreak things.\\n\\nFor example, if memfd managed to restore 8 of its 10 folios, but fails on\\nthe 9th, a subsequent retrieve attempt will try to call\\nkho_restore_folio() on the first folio again, and that will fail with a\\nwarning since it is an invalid operation.\\n\\nApart from the retry, finish() also breaks.  Since on failure the\\nretrieved bool in luo_file is never touched, the finish() call on session\\nclose will tell the file handler that retrieve was never attempted, and it\\nwill try to access or free the data structures that might not exist, much\\nin the same way as the retry attempt.\\n\\nThere is no sane way of attempting the retrieve again.  Remember the error\\nretrieve returned and directly return it on a retry.  Also pass this\\nstatus code to finish() so it can make the right decision on the work it\\nneeds to do.\\n\\nThis is done by changing the bool to an integer.  A value of 0 means\\nretrieve was never attempted, a positive value means it succeeded, and a\\nnegative value means it failed and the error code is the value.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1d3ad69484dc1cc53be62d2554e7ef038a627af9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f85b1c6af5bc3872f994df0a5688c1162de07a62\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.