CVE-2026-43121
Awaiting Analysis Awaiting Analysis - Queue
Race Condition in Linux Kernel io_uring/zcrx Subsystem

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix user_ref race between scrub and refill paths The io_zcrx_put_niov_uref() function uses a non-atomic check-then-decrement pattern (atomic_read followed by separate atomic_dec) to manipulate user_refs. This is serialized against other callers by rq_lock, but io_zcrx_scrub() modifies the same counter with atomic_xchg() WITHOUT holding rq_lock. On SMP systems, the following race exists: CPU0 (refill, holds rq_lock) CPU1 (scrub, no rq_lock) put_niov_uref: atomic_read(uref) - 1 // window opens atomic_xchg(uref, 0) - 1 return_niov_freelist(niov) [PUSH #1] // window closes atomic_dec(uref) - wraps to -1 returns true return_niov(niov) return_niov_freelist(niov) [PUSH #2: DOUBLE-FREE] The same niov is pushed to the freelist twice, causing free_count to exceed nr_iovs. Subsequent freelist pushes then perform an out-of-bounds write (a u32 value) past the kvmalloc'd freelist array into the adjacent slab object. Fix this by replacing the non-atomic read-then-dec in io_zcrx_put_niov_uref() with an atomic_try_cmpxchg loop that atomically tests and decrements user_refs. This makes the operation safe against concurrent atomic_xchg from scrub without requiring scrub to acquire rq_lock. [pavel: removed a warning and a comment]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43121
EUVD
EUVD-2026-27682
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's io_uring subsystem, specifically in the io_zcrx_put_niov_uref() function. The function uses a non-atomic check-then-decrement pattern to manipulate user reference counters, which is supposed to be serialized by a lock (rq_lock). However, another function, io_zcrx_scrub(), modifies the same counter without holding this lock, leading to a race condition on SMP (multi-processor) systems.

Due to this race, the same memory object (niov) can be freed twice (double-free), causing the freelist's free_count to exceed its limit. This results in out-of-bounds writes past the allocated freelist array into adjacent memory, potentially corrupting memory.

The fix involved replacing the non-atomic decrement with an atomic compare-and-exchange loop to safely decrement the user reference counter, preventing the race without requiring the scrub function to acquire the lock.

Impact Analysis

This vulnerability can lead to memory corruption due to out-of-bounds writes caused by a double-free condition in the kernel's io_uring subsystem. Memory corruption can potentially be exploited to cause system crashes, data corruption, or privilege escalation, depending on how an attacker leverages the flaw.

Mitigation Strategies

The vulnerability has been fixed in the Linux kernel by changing the io_zcrx_put_niov_uref() function to use an atomic_try_cmpxchg loop that safely decrements user_refs, preventing the race condition.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43121. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart