CVE-2026-43487 in Linux
Summary
by MITRE • 05/13/2026
In the Linux kernel, the following vulnerability has been resolved:
ata: libata-core: Disable LPM on ST1000DM010-2EP102
According to a user report, the ST1000DM010-2EP102 has problems with LPM, causing random system freezes. The drive belongs to the same BarraCuda family as the ST2000DM008-2FR102 which has the same issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/17/2026
The vulnerability involves a critical issue within the Linux kernel's libata-core subsystem that affects specific hard disk drive models from Seagate's BarraCuda line. This problem manifests as random system freezes occurring when the drive enters Low Power Mode LPM, which is a standard power management feature designed to reduce energy consumption during periods of inactivity. The affected drive model ST1000DM010-2EP102 represents a specific variant within the BarraCuda family that has been identified as problematic, with similar issues reported for the ST2000DM008-2FR102 model, indicating a broader compatibility problem within this product line.
The technical flaw stems from improper handling of power management states within the libata driver implementation, which governs communication with serial ata devices. When the kernel attempts to negotiate and maintain LPM states with the affected Seagate drives, the drives fail to properly respond to power management commands, resulting in system hangs that require forced rebooting to resolve. This behavior represents a failure in the ata subsystem's ability to gracefully handle device-specific power management quirks, particularly those related to the drive's response to LPM state transitions. The issue specifically impacts the kernel's ability to maintain system stability when power management features are enabled for these particular drive models.
The operational impact of this vulnerability extends beyond simple performance degradation to potentially critical system reliability issues, as random freezes can occur during active system operations including data transfers, system updates, or critical business processes. Users experiencing this problem may encounter complete system lockups that require manual intervention, leading to potential data loss or service interruptions in production environments. The vulnerability affects any Linux system utilizing the affected Seagate drives with libata-core drivers, making it particularly concerning for server deployments, desktop systems, and embedded applications where system stability is paramount. This issue can manifest during both automated power management operations and manual system activities, creating unpredictable downtime scenarios.
The mitigation strategy involves disabling LPM functionality for the affected drive models through kernel boot parameters or driver configuration options, specifically targeting the problematic ST1000DM010-2EP102 and ST2000DM008-2FR102 models. System administrators should implement the kernel parameter libata.force=noncq to disable the problematic power management features, or alternatively use specific drive model identification to exclude these devices from LPM operations. The solution aligns with ATT&CK technique T1490 which involves system destruction and resource exhaustion through power management manipulation. This vulnerability demonstrates the importance of proper device-specific driver handling and the need for comprehensive testing of power management features across different hardware variants. The fix represents a temporary workaround that maintains system functionality while avoiding the problematic LPM states, though it may result in reduced power efficiency for affected systems. This issue highlights the complexity of maintaining compatibility across diverse hardware implementations within open source kernel ecosystems and the necessity for robust device-specific handling mechanisms in storage subsystems.