CVE-2026-43128
Double DMA Buffer Unpin in Linux Kernel RDMA
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically in the handling of dma_buf unpinning in failure paths.
In the function ib_umem_dmabuf_get_pinned_with_dma_device(), if the call to ib_umem_dmabuf_map_pages() fails, the dma_buf is immediately unpinned but a flag indicating it is still pinned remains set. Later, when ib_umem_release() is called, it triggers a second unpin operation on the same dma_buf, causing a double unpin.
The fix removes the immediate unpin on failure and relies on the normal release path to handle unpinning correctly, ensuring proper ordering and avoiding the double unpin issue.
How can this vulnerability impact me? :
This vulnerability involves a double unpinning of dma_buf in the Linux kernel's RDMA umem code path. If the ib_umem_dmabuf_map_pages() call fails, the dmabuf is unpinned immediately but the pinned flag remains set, leading to a second unpin when ib_umem_release() is called. This can cause improper resource handling and potentially lead to kernel instability or memory corruption.