GHSA-h7p4-fpxw-m265MediumCVSS 5.5

In the Linux kernel, the following vulnerability has been resolved: module: Fix kernel panic...

Published
April 22, 2026
Last Modified
July 14, 2026

🔗 CVE IDs covered (1)

📋 Description

In the Linux kernel, the following vulnerability has been resolved:

module: Fix kernel panic when a symbol st_shndx is out of bounds

The module loader doesn't check for bounds of the ELF section index in simplify_symbols():

   for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
	const char *name = info->strtab + sym[i].st_name;

	switch (sym[i].st_shndx) {
	case SHN_COMMON:

	[...]

	default:
		/* Divert to percpu allocation if a percpu var. */
		if (sym[i].st_shndx == info->index.pcpu)
			secbase = (unsigned long)mod_percpu(mod);
		else

/** HERE --> **/ secbase = info->sechdrs[sym[i].st_shndx].sh_addr; sym[i].st_value += secbase; break; } }

A symbol with an out-of-bounds st_shndx value, for example 0xffff (known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic:

BUG: unable to handle page fault for address: ... RIP: 0010:simplify_symbols+0x2b2/0x480 ... Kernel panic - not syncing: Fatal exception

This can happen when module ELF is legitimately using SHN_XINDEX or when it is corrupted.

Add a bounds check in simplify_symbols() to validate that st_shndx is within the valid range before using it.

This issue was discovered due to a bug in llvm-objcopy, see relevant discussion for details [1].

[1] https://lore.kernel.org/linux-modules/[email protected]/

🔗 References (11)