CVE-2026-43128
Awaiting Analysis Awaiting Analysis - Queue

Double DMA Buffer Unpin in Linux Kernel RDMA

Vulnerability report for CVE-2026-43128, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-06

Last updated on: 2026-05-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: RDMA/umem: Fix double dma_buf_unpin in failure path In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf is immediately unpinned but the umem_dmabuf->pinned flag is still set. Then, when ib_umem_release() is called, it calls ib_umem_dmabuf_revoke() which will call dma_buf_unpin() again. Fix this by removing the immediate unpin upon failure and just let the ib_umem_release/revoke path handle it. This also ensures the proper unmap-unpin unwind ordering if the dmabuf_map_pages call happened to fail due to dma_resv_wait_timeout (and therefore has a non-NULL umem_dmabuf->sgt).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-06
Last Modified
2026-05-08
Generated
2026-07-06
AI Q&A
2026-05-06
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.2 (inc) to 6.6.128 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.75 (exc)
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.16 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.6 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.165 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically in the handling of dma_buf unpinning in failure paths.

In the function ib_umem_dmabuf_get_pinned_with_dma_device(), if the call to ib_umem_dmabuf_map_pages() fails, the dma_buf is immediately unpinned but a flag indicating it is still pinned remains set. Later, when ib_umem_release() is called, it triggers a second unpin operation on the same dma_buf, causing a double unpin.

The fix removes the immediate unpin on failure and relies on the normal release path to handle unpinning correctly, ensuring proper ordering and avoiding the double unpin issue.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by fixing the double dma_buf_unpin issue in the failure path of RDMA/umem. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Impact Analysis

This vulnerability involves a double unpinning of dma_buf in the Linux kernel's RDMA umem code path. If the ib_umem_dmabuf_map_pages() call fails, the dmabuf is unpinned immediately but the pinned flag remains set, leading to a second unpin when ib_umem_release() is called. This can cause improper resource handling and potentially lead to kernel instability or memory corruption.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43128. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart