CVE-2026-43128
Awaiting Analysis Awaiting Analysis - Queue
Double DMA Buffer Unpin in Linux Kernel RDMA

Publication date: 2026-05-06

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/umem: Fix double dma_buf_unpin in failure path In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf is immediately unpinned but the umem_dmabuf->pinned flag is still set. Then, when ib_umem_release() is called, it calls ib_umem_dmabuf_revoke() which will call dma_buf_unpin() again. Fix this by removing the immediate unpin upon failure and just let the ib_umem_release/revoke path handle it. This also ensures the proper unmap-unpin unwind ordering if the dmabuf_map_pages call happened to fail due to dma_resv_wait_timeout (and therefore has a non-NULL umem_dmabuf->sgt).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43128
EUVD
EUVD-2026-27691
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.2 (inc) to 6.6.128 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.75 (exc)
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.16 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.6 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.165 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically in the handling of dma_buf unpinning in failure paths.

In the function ib_umem_dmabuf_get_pinned_with_dma_device(), if the call to ib_umem_dmabuf_map_pages() fails, the dma_buf is immediately unpinned but a flag indicating it is still pinned remains set. Later, when ib_umem_release() is called, it triggers a second unpin operation on the same dma_buf, causing a double unpin.

The fix removes the immediate unpin on failure and relies on the normal release path to handle unpinning correctly, ensuring proper ordering and avoiding the double unpin issue.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by fixing the double dma_buf_unpin issue in the failure path of RDMA/umem. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Impact Analysis

This vulnerability involves a double unpinning of dma_buf in the Linux kernel's RDMA umem code path. If the ib_umem_dmabuf_map_pages() call fails, the dmabuf is unpinned immediately but the pinned flag remains set, leading to a second unpin when ib_umem_release() is called. This can cause improper resource handling and potentially lead to kernel instability or memory corruption.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43128. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart