CVE-2026-53199

In the Linux kernel, the following vulnerability has been resolved:

hv netvsc: use kmap local page in netvsc copy to send buf

netvsc copy to send buf() copies page buffer entries into the VMBus send buffer using phys to virt() on the entry PFN. Entries for the RNDIS header and the skb linear data come from kmalloc'd memory and are always in the kernel direct map, but entries for skb fragments reference page cache or user pages, which on 32-bit x86 with CONFIG HIGHMEM=y can live above the LOWMEM boundary. For such a page phys to virt() returns an address outside the direct map and the subsequent memcpy() faults on the transmit softirq path, which is fatal.

Map the pages with kmap local page() instead, handling two properties of the page buffer entries:

The copy path only handles packets smaller than the send section size (6144 bytes by default); larger packets take the cp partial path where only the RNDIS header is copied. So entries here are bounded by the section size and a copy is split at most once on 4K-page systems. On !CONFIG HIGHMEM configs kmap local page() folds to page address() and no mapping work is added.