CVE-2026-45851 | efi: Fix reservation of unaccepted memory table

In the Linux kernel, the following vulnerability has been resolved: efi: Fix reservation of unaccepted memory table The reserve_unaccepted() function incorrectly calculates the size of the memblock reservation for the unaccepted memory table. It aligns the size of the table, but fails to account for cases where the table's starting physical address (efi.unaccepted) is not page-aligned. If the table starts at an offset within a page and its end crosses into a subsequent page that the aligned size does not cover, the end of the table will not be reserved. This can lead to the table being overwritten or inaccessible, causing a kernel panic in accept_memory(). This issue was observed when starting Intel TDX VMs with specific memory sizes (e.g., > 64GB). Fix this by calculating the end address first (including the unaligned start) and then aligning it up, ensuring the entire range is covered by the reservation.

Published: 2026-05-27 Last update: 2026-05-27 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

NVD Status：Awaiting Analysis，CVE State: published

View at NVD, CVE.org, EUVD

Conclusion & alert: CVE-2026-45851 is rated Low Risk (5.2/100): low exploitation likelihood (EPSS 0.02%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2026-45851

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-05-28	—	0.02%	—

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2026-45851

CVSS metrics for this CVE.

No CVSS data in dataset for this CVE.

Weakness enumeration for CVE-2026-45851

GitHub Security Advisory for CVE-2026-45851

GHSA-r9jv-8h68-mr7c · Severity: unknown — In the Linux kernel, the following vulnerability has been resolved: efi: Fix reservation of...

OS Trackers for CVE-2026-45851

vendor	priority	summary	link
`debian`	unimportant	CVE-2026-45851 unimportant priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2026-45851
`redhat`	low	—	https://access.redhat.com/security/cve/CVE-2026-45851
`ubuntu`	medium	CVE-2026-45851 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1422 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): DNE 1024, ignored 169, not-affected 89, released 84, needed 37, pending 18, needs-triage 1.	https://ubuntu.com/security/CVE-2026-45851

Affected software / configurations for CVE-2026-45851

Vendor	Product	Version	Raw CPE
No affected products in dataset.

References for CVE-2026-45851

URL	Tags
https://git.kernel.org/stable/c/0862438c90487e79822d5647f854977d50381505
https://git.kernel.org/stable/c/9b18bf59977f5c5bc3b11b210520f62500a7adf3
https://git.kernel.org/stable/c/b7bc182ec1846be437351e44164089d988f9d0dd
https://git.kernel.org/stable/c/ba6b6f1502fa55621d1db23f253d54322bdbe4e0
https://git.kernel.org/stable/c/e649b5916725c68f44ebf45fb396df563c5dbaf2

cvelogic Threat Intelligence