CVE-2026-43121

Source
https://cve.org/CVERecord?id=CVE-2026-43121
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43121.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-43121
Downstream
Published
2026-05-06T11:27:08.216Z
Modified
2026-07-15T01:49:04.384432272Z
Summary
io_uring/zcrx: fix user_ref race between scrub and refill paths
Details

In the Linux kernel, the following vulnerability has been resolved:

iouring/zcrx: fix userref race between scrub and refill paths

The iozcrxputniovuref() function uses a non-atomic check-then-decrement pattern (atomicread followed by separate atomicdec) to manipulate userrefs. This is serialized against other callers by rqlock, but iozcrxscrub() modifies the same counter with atomicxchg() WITHOUT holding rqlock.

On SMP systems, the following race exists:

CPU0 (refill, holds rqlock) CPU1 (scrub, no rqlock) putniovuref: atomicread(uref) - 1 // window opens atomicxchg(uref, 0) - 1 returnniovfreelist(niov) [PUSH #1] // window closes atomicdec(uref) - wraps to -1 returns true returnniov(niov) returnniovfreelist(niov) [PUSH #2: DOUBLE-FREE]

The same niov is pushed to the freelist twice, causing freecount to exceed nriovs. Subsequent freelist pushes then perform an out-of-bounds write (a u32 value) past the kvmalloc'd freelist array into the adjacent slab object.

Fix this by replacing the non-atomic read-then-dec in iozcrxputniovuref() with an atomictrycmpxchg loop that atomically tests and decrements userrefs. This makes the operation safe against concurrent atomicxchg from scrub without requiring scrub to acquire rq_lock.

[pavel: removed a warning and a comment]

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43121.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
34a3e60821ab9f335a58d43a88cccdbefdebdec3
Fixed
a94f096e28bfc7975163a6b80f1c8f323efe317a
Fixed
485dc691257b96e6d3bdc25b0eff2daadcc5c46c
Fixed
003049b1c4fb8aabb93febb7d1e49004f6ad653b

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43121.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.15.0
Fixed
6.18.16
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43121.json"