{"id":"CVE-2026-43121","summary":"io_uring/zcrx: fix user_ref race between scrub and refill paths","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/zcrx: fix user_ref race between scrub and refill paths\n\nThe io_zcrx_put_niov_uref() function uses a non-atomic\ncheck-then-decrement pattern (atomic_read followed by separate\natomic_dec) to manipulate user_refs. This is serialized against other\ncallers by rq_lock, but io_zcrx_scrub() modifies the same counter with\natomic_xchg() WITHOUT holding rq_lock.\n\nOn SMP systems, the following race exists:\n\n  CPU0 (refill, holds rq_lock)          CPU1 (scrub, no rq_lock)\n  put_niov_uref:\n    atomic_read(uref) - 1\n    // window opens\n                                        atomic_xchg(uref, 0) - 1\n                                        return_niov_freelist(niov) [PUSH #1]\n    // window closes\n    atomic_dec(uref) - wraps to -1\n    returns true\n    return_niov(niov)\n    return_niov_freelist(niov)           [PUSH #2: DOUBLE-FREE]\n\nThe same niov is pushed to the freelist twice, causing free_count to\nexceed nr_iovs. Subsequent freelist pushes then perform an out-of-bounds\nwrite (a u32 value) past the kvmalloc'd freelist array into the adjacent\nslab object.\n\nFix this by replacing the non-atomic read-then-dec in\nio_zcrx_put_niov_uref() with an atomic_try_cmpxchg loop that atomically\ntests and decrements user_refs. This makes the operation safe against\nconcurrent atomic_xchg from scrub without requiring scrub to acquire\nrq_lock.\n\n[pavel: removed a warning and a comment]","modified":"2026-07-15T01:49:04.384432272Z","published":"2026-05-06T11:27:08.216Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43121.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/003049b1c4fb8aabb93febb7d1e49004f6ad653b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/485dc691257b96e6d3bdc25b0eff2daadcc5c46c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a94f096e28bfc7975163a6b80f1c8f323efe317a"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43121.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43121"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"34a3e60821ab9f335a58d43a88cccdbefdebdec3"},{"fixed":"a94f096e28bfc7975163a6b80f1c8f323efe317a"},{"fixed":"485dc691257b96e6d3bdc25b0eff2daadcc5c46c"},{"fixed":"003049b1c4fb8aabb93febb7d1e49004f6ad653b"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43121.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.15.0"},{"fixed":"6.18.16"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.6"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43121.json"}}],"schema_version":"1.7.5"}