CVE-2026-43121

Published: Mag 06, 2026 Last Modified: Mag 06, 2026

ExploitDB:

Other exploit source:

Google Dorks:

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

io_uring/zcrx: fix user_ref race between scrub and refill paths

The io_zcrx_put_niov_uref() function uses a non-atomic
check-then-decrement pattern (atomic_read followed by separate
atomic_dec) to manipulate user_refs. This is serialized against other
callers by rq_lock, but io_zcrx_scrub() modifies the same counter with
atomic_xchg() WITHOUT holding rq_lock.

On SMP systems, the following race exists:

CPU0 (refill, holds rq_lock) CPU1 (scrub, no rq_lock)
put_niov_uref:
atomic_read(uref) - 1
// window opens
atomic_xchg(uref, 0) - 1
return_niov_freelist(niov) [PUSH #1]
// window closes
atomic_dec(uref) - wraps to -1
returns true
return_niov(niov)
return_niov_freelist(niov) [PUSH #2: DOUBLE-FREE]

The same niov is pushed to the freelist twice, causing free_count to
exceed nr_iovs. Subsequent freelist pushes then perform an out-of-bounds
write (a u32 value) past the kvmalloc'd freelist array into the adjacent
slab object.

Fix this by replacing the non-atomic read-then-dec in
io_zcrx_put_niov_uref() with an atomic_try_cmpxchg loop that atomically
tests and decrements user_refs. This makes the operation safe against
concurrent atomic_xchg from scrub without requiring scrub to acquire
rq_lock.

[pavel: removed a warning and a comment]

https://git.kernel.org/stable/c/003049b1c4fb8aabb93febb7d1e…

https://git.kernel.org/stable/c/003049b1c4fb8aabb93febb7d1e49004f6ad653b

https://git.kernel.org/stable/c/485dc691257b96e6d3bdc25b0ef…

https://git.kernel.org/stable/c/485dc691257b96e6d3bdc25b0eff2daadcc5c46c

https://git.kernel.org/stable/c/a94f096e28bfc7975163a6b80f1…

https://git.kernel.org/stable/c/a94f096e28bfc7975163a6b80f1c8f323efe317a

CVE-2026-43121

Description

Iscriviti alla newsletter