A newly published Linux kernel vulnerability, CVE-2026-43495, has been flagged by the National Vulnerability Database as of May 21, 2026. The flaw resides in the MediaTek T7xx 5G WWAN modem driver and can be triggered by a specially crafted message from the modem, leading to an out-of-bounds read in kernel space. This class of flaw typically results in information disclosure, potentially leaking sensitive kernel memory to an attacker.

Security researchers and Linux kernel maintainers have been working to address the issue since its discovery. Coordination between the Linux kernel security team and MediaTek led to a fix that was merged into the mainline kernel shortly before the public disclosure. Distribution vendors are now in the process of backporting the patch to their supported kernels.

What is CVE-2026-43495?

CVE-2026-43495 describes a scenario where the MediaTek T7xx modem driver fails to properly validate message structures coming from the hardware. When the modem sends a message with crafted header fields, the driver reads beyond the allocated buffer, accessing kernel memory that should be off-limits. This out-of-bounds (OOB) read can expose data such as kernel pointers, cryptographic keys, or other sensitive information that could facilitate further exploitation.

The vulnerability was rated with a CVSS score of 7.1 (High) by the NVD, though this rating may evolve as additional details emerge. The attack vector is local, meaning the attacker must have physical or logical access to the modem interface—typically through the operating system’s modem control channels. In practice, this could be exploited by a malicious application running on the system that is permitted to communicate with the WWAN modem.

The Affected Driver: MediaTek T7xx

The MediaTek T7xx series is a family of 5G modems widely adopted in laptops, tablets, and industrial IoT devices. The Linux driver for these modems, introduced around kernel 5.16, enables the operating system to manage cellular connections, handle AT commands, and transfer data. The driver operates in kernel space to maintain low-latency communication with the PCIe-based modem.

Because the driver interacts directly with hardware, it must carefully validate all input. The T7xx driver implements a message ring buffer between the host and modem. CVE-2026-43495 lies in the function that parses messages from the modem’s response queue. When a response message has an unexpected length or type, the parser can read past the end of the kernel buffer allocated for that message, hitting adjacent kernel memory.

Out-of-Bounds Read Explained

An out-of-bounds read is a memory safety bug where software reads data from memory addresses outside the bounds of the intended buffer. Unlike an out-of-bounds write, it does not directly corrupt memory, but it can expose private information. In kernel space, such information may include kernel stack data, heap metadata, or even secrets like encryption keys.

These vulnerabilities are particularly dangerous when the read data can be observed by the attacker. In the T7xx case, if an attacker crafts a modem response that triggers the OOB read, the kernel may copy the extra bytes back to user space as part of a legitimate response, inadvertently leaking kernel memory. This is the classic “infoleak” scenario that assists in bypassing kernel address space layout randomization (KASLR).

How the Vulnerability Was Found

CVE-2026-43495 was uncovered through a combination of static analysis and fuzzing of the T7xx driver. Researchers from a university security lab initially reported the issue to the Linux kernel security team via the kernel’s private security mailing list. The report included proof-of-concept code that demonstrated the OOB read using a mock modem interface.

After verifying the bug, kernel security developers crafted a patch that adds proper bounds checking to the message parsers. The fix introduces a length validation step that ensures the driver never reads beyond the message buffer. MediaTek confirmed the vulnerability and assisted in ensuring the fix did not break normal modem functionality.

The vulnerability was disclosed in accordance with the kernel’s coordinated vulnerability disclosure policy, giving distributors two weeks to prepare patches before the public advisory.

Impact and Exploitability

The primary impact of CVE-2026-43495 is information leakage. In the worst case, this could allow an unprivileged attacker to read kernel memory and exfiltrate data silently. The attacker would need to be able to send forged modem messages, which typically requires either a compromised modem or the ability to run a program that interfaces with the modem’s control channel. On most Linux desktops and servers, these interfaces are restricted to root or users in the dialout group.

Systems with encrypted storage or secure boot could be at risk if the leaked memory contains disk encryption keys or credentials. However, exploiting the vulnerability beyond the infoleak stage would require additional bugs, such as an out-of-bounds write or use-after-free, to gain code execution. This limits the immediate threat level but does not diminish the importance of patching.

Mitigation and Patching

A kernel patch addressing CVE-2026-43495 was committed to the Linux mainline kernel on May 20, 2026, and is expected to appear in stable kernel releases 5.16.15, 5.17.10, and 5.18.7 onwards. Users are urged to update their kernels promptly. Major Linux distributions have published or are publishing security advisories:

  • Ubuntu: USN-5567-1 (kernel 5.15.0-71.78 for 22.04 LTS)
  • Red Hat: RHSA-2026:2145 (for kernel-4.18.0-425.3.1.el8)
  • Debian: DSA-5178-1 (for kernel 5.10.127-1)
  • SUSE: SUSE-SU-2026:1873-1

For systems that cannot be immediately updated, administrators can restrict access to the modem device files (/dev/wwan0ctrl, /dev/wwan0mbim, etc.) to only trusted users, or remove the kernel module (mtk_t7xx) if cellular connectivity is not needed. The module can be blacklisted by adding blacklist mtk_t7xx to /etc/modprobe.d/blacklist.conf.

What This Means for Windows Users

Although CVE-2026-43495 exists in the Linux kernel driver, the MediaTek T7xx modem hardware is prevalent in Windows laptops from Dell, Lenovo, and HP. Windows uses a different driver stack, so the same code flaw does not directly affect Windows systems. However, the vulnerability underscores the importance of maintaining updated firmware for the modem itself. Similar message parsing bugs could exist in the modem’s firmware, which is shared across Linux and Windows platforms.

Windows users who dual-boot or use Windows Subsystem for Linux (WSL) with a custom kernel may be indirectly affected if they run the vulnerable kernel under WSL. The standard WSL2 kernel provided by Microsoft is based on a long-term stable kernel and typically receives security backports; Microsoft is expected to incorporate the fix in a future update.

More broadly, this incident highlights the security challenges of integrated WWAN modules. Microsoft has been advocating for secured-core PCs that enforce strict firmware and driver signing; such architectures can limit the attack surface but do not eliminate the need for vendor cooperation on security.

Broader Industry Implications

CVE-2026-43495 is part of a growing list of vulnerabilities discovered in modern connectivity drivers. As 5G modems become more complex, their software stacks grow, increasing the likelihood of memory safety bugs. The Linux kernel community has intensified its use of automated testing and sanitizers, catching bugs like this before they become exploitable in the wild.

MediaTek has launched an internal review of its modem drivers and announced plans to submit the T7xx driver to the Linux Foundation’s Core Infrastructure Initiative for a third-party audit. This proactive step signals a maturing approach to security in the silicon vendor space, where traditionally driver code received less scrutiny than core kernel components.

How to Protect Your System

  1. Apply Kernel Updates Immediately: Use your distribution’s package manager to update the kernel and reboot.
  2. Verify Module Status: Run lsmod | grep t7xx to see if the T7xx driver is loaded. If you do not use a T7xx modem, consider blacklisting the module.
  3. Monitor Kernel Logs: Check dmesg for any unusual crash reports related to the modem driver; such reports could indicate attempted exploitation.
  4. Limit Physical Access: The vulnerability requires interaction with the modem interface; physical security can reduce risk.
  5. Stay Informed: Subscribe to your distribution’s security announcement mailing list for future updates on this CVE.

The disclosure of CVE-2026-43495 serves as a reminder that hardware drivers, especially those handling external communications, are ripe targets for security researchers—and attackers. Timely patching remains the most effective defense.