DEBIAN-CVE-2026-43071

In the Linux kernel, the following vulnerability has been resolved:  dcache: Limit the minimal number of bucket to two  There is an OOB read problem on dentryhashtable when user sets 'dhashentries=1':   BUG: unable to handle page fault for address: ffff888b30b774b0   #PF: supervisor read access in kernel mode   #PF: errorcode(0x0000) - not-present page   Oops: Oops: 0000 [#1] SMP PTI   RIP: 0010:dlookup+0x56/0x120    Call Trace:     dlookup.cold+0x16/0x5d     lookupdcache+0x27/0xf0     lookuponeqstrexcl+0x2a/0x180     startdirop+0x55/0xa0     simplestartcreating+0x8d/0xa0     debugfsstartcreating+0x8c/0x180     debugfscreatedir+0x1d/0x1c0     pinctrlinit+0x6d/0x140     dooneinitcall+0x6d/0x3d0     kernelinitfreeable+0x39f/0x460     kernelinit+0x2a/0x260  There will be only one bucket in dentryhashtable when dhashentries is set as one, and dhashshift is calculated as 32 by dcacheinit(). Then, following process will access more than one buckets(which memory region is not allocated) in dentryhashtable:  dlookup   b = dhash(hash)     dentryhashtable + ((u32)hashlen >> dhashshift)     // The C standard defines the behavior of right shift amounts     // exceeding the bit width of the operand as undefined. The     // result of '(u32)hashlen >> dhashshift' becomes 'hashlen',     // so 'b' will point to an unallocated memory region.   hlistblforeachentryrcu(b)    hlistblfirstrcu(head)     h->first  // read OOB!  Fix it by limiting the minimal number of dentryhashtable bucket to two, so that 'dhashshift' won't exceeds the bit width of type u32.