CVE-2026-43128
Awaiting Analysis Awaiting Analysis - Queue
Double DMA Buffer Unpin in Linux Kernel RDMA

Publication date: 2026-05-06

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/umem: Fix double dma_buf_unpin in failure path In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf is immediately unpinned but the umem_dmabuf->pinned flag is still set. Then, when ib_umem_release() is called, it calls ib_umem_dmabuf_revoke() which will call dma_buf_unpin() again. Fix this by removing the immediate unpin upon failure and just let the ib_umem_release/revoke path handle it. This also ensures the proper unmap-unpin unwind ordering if the dmabuf_map_pages call happened to fail due to dma_resv_wait_timeout (and therefore has a non-NULL umem_dmabuf->sgt).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-08
Generated
2026-05-27
AI Q&A
2026-05-06
EPSS Evaluated
2026-05-25
NVD
CVE-2026-43128
EUVD
EUVD-2026-27691
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.2 (inc) to 6.6.128 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.75 (exc)
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.16 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.6 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.165 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically in the handling of dma_buf unpinning in failure paths.

In the function ib_umem_dmabuf_get_pinned_with_dma_device(), if the call to ib_umem_dmabuf_map_pages() fails, the dma_buf is immediately unpinned but a flag indicating it is still pinned remains set. Later, when ib_umem_release() is called, it triggers a second unpin operation on the same dma_buf, causing a double unpin.

The fix removes the immediate unpin on failure and relies on the normal release path to handle unpinning correctly, ensuring proper ordering and avoiding the double unpin issue.


How can this vulnerability impact me? :

This vulnerability involves a double unpinning of dma_buf in the Linux kernel's RDMA umem code path. If the ib_umem_dmabuf_map_pages() call fails, the dmabuf is unpinned immediately but the pinned flag remains set, leading to a second unpin when ib_umem_release() is called. This can cause improper resource handling and potentially lead to kernel instability or memory corruption.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by fixing the double dma_buf_unpin issue in the failure path of RDMA/umem. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart