CVE-2026-43073
Awaiting Analysis Awaiting Analysis - Queue
Misleadingly Named Memory Copy Function in Linux Kernel

Publication date: 2026-05-05

Last updated on: 2026-05-05

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: x86-64: rename misleadingly named '__copy_user_nocache()' function This function was a masterclass in bad naming, for various historical reasons. It claimed to be a non-cached user copy. It is literally _neither_ of those things. It's a specialty memory copy routine that uses non-temporal stores for the destination (but not the source), and that does exception handling for both source and destination accesses. Also note that while it works for unaligned targets, any unaligned parts (whether at beginning or end) will not use non-temporal stores, since only words and quadwords can be non-temporal on x86. The exception handling means that it _can_ be used for user space accesses, but not on its own - it needs all the normal "start user space access" logic around it. But typically the user space access would be the source, not the non-temporal destination. That was the original intention of this, where the destination was some fragile persistent memory target that needed non-temporal stores in order to catch machine check exceptions synchronously and deal with them gracefully. Thus that non-descriptive name: one use case was to copy from user space into a non-cached kernel buffer. However, the existing users are a mix of that intended use-case, and a couple of random drivers that just did this as a performance tweak. Some of those random drivers then actively misused the user copying version (with STAC/CLAC and all) to do kernel copies without ever even caring about the exception handling, _just_ for the non-temporal destination. Rename it as a first small step to actually make it halfway sane, and change the prototype to be more normal: it doesn't take a user pointer unless the caller has done the proper conversion, and the argument size is the full size_t (it still won't actually copy more than 4GB in one go, but there's also no reason to silently truncate the size argument in the caller). Finally, use this now sanely named function in the NTB code, which mis-used a user copy version (with STAC/CLAC and all) of this interface despite it not actually being a user copy at all.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-05
Generated
2026-05-06
AI Q&A
2026-05-05
EPSS Evaluated
N/A
NVD
CVE-2026-43073
EUVD
EUVD-2026-27378
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves a misleadingly named function in the Linux kernel called '__copy_user_nocache()'. The function's name suggests it performs a non-cached copy from user space, but in reality, it neither performs a non-cached copy nor strictly copies from user space. Instead, it is a specialized memory copy routine that uses non-temporal stores for the destination and handles exceptions for both source and destination accesses.

The function was originally intended to copy data from user space into a non-cached kernel buffer, particularly for fragile persistent memory targets that require non-temporal stores to handle machine check exceptions gracefully. However, some drivers misused this function as a performance tweak for kernel copies without proper exception handling.

The vulnerability was addressed by renaming the function to better reflect its actual behavior, changing its prototype to require proper user pointer conversion, and correcting its usage in kernel code to prevent misuse.


How can this vulnerability impact me? :

The vulnerability could lead to improper handling of memory copies within the Linux kernel, especially where the function was misused by drivers for kernel copies without proper exception handling. This misuse might cause unexpected behavior or instability in the kernel, particularly when dealing with fragile persistent memory.

Since the function handles exceptions for both source and destination accesses, incorrect use could potentially lead to kernel crashes or data corruption if machine check exceptions are not properly managed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart