PT-2026-37461 · Git+4 · Kernel+109

·

CVE-2026-43121

·

Published

2026-05-06

·

Updated

2026-06-01

CVSS v3.1

4.7

Medium

VectorAV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description A race condition exists in the io uring/zcrx component on SMP systems between the scrub and refill paths. The io zcrx put niov uref() function employs a non-atomic check-then-decrement pattern using atomic read followed by atomic dec to manage user refs. While this is serialized by rq lock, the io zcrx scrub() function modifies the same counter using atomic xchg() without holding the rq lock. This concurrency can lead to a double-free scenario where the same niov is pushed to the freelist twice, causing the free count to exceed nr iovs. Consequently, subsequent freelist pushes may result in an out-of-bounds write of a u32 value past the kvmalloc'd freelist array into an adjacent slab object.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-43121

Affected Products

Kernel
Linux
Linux-Allwinner-5.19
Linux-Aws
Linux-Aws-5.0
Linux-Aws-5.11
Linux-Aws-5.13
Linux-Aws-5.19
Linux-Aws-5.3
Linux-Aws-5.8
Linux-Aws-6.14
Linux-Aws-6.17
Linux-Aws-6.2
Linux-Aws-6.5
Linux-Azure
Linux-Azure-5.11
Linux-Azure-5.13
Linux-Azure-5.19
Linux-Azure-5.3
Linux-Azure-5.8
Linux-Azure-6.11
Linux-Azure-6.17
Linux-Azure-6.2
Linux-Azure-6.5
Linux-Azure-Edge
Linux-Azure-Fde
Linux-Azure-Fde-5.19
Linux-Azure-Fde-6.17
Linux-Azure-Fde-6.2
Linux-Bluefield
Linux-Gcp
Linux-Gcp-5.11
Linux-Gcp-5.13
Linux-Gcp-5.19
Linux-Gcp-5.3
Linux-Gcp-5.8
Linux-Gcp-6.11
Linux-Gcp-6.14
Linux-Gcp-6.17
Linux-Gcp-6.2
Linux-Gcp-6.5
Linux-Gke
Linux-Gke-4.15
Linux-Gkeop-5.15
Linux-Gke-5.4
Linux-Gkeop
Linux-Hwe
Linux-Hwe-5.11
Linux-Hwe-5.13
Linux-Hwe-5.19
Linux-Hwe-5.8
Linux-Hwe-6.11
Linux-Hwe-6.14
Linux-Hwe-6.17
Linux-Hwe-6.2
Linux-Hwe-6.5
Linux-Hwe-Edge
Linux-Intel-5.13
Linux-Intel-Iot-Realtime
Linux-Lowlatency-Hwe-5.19
Linux-Lowlatency-Hwe-6.11
Linux-Lowlatency-Hwe-6.2
Linux-Lowlatency-Hwe-6.5
Linux-Lts
Linux-Nvidia
Linux-Nvidia-6.11
Linux-Nvidia-6.17
Linux-Nvidia-6.2
Linux-Nvidia-6.5
Linux-Nvidia-7.0
Linux-Nvidia-Bos
Linux-Oem
Linux-Oem-5.10
Linux-Oem-5.13
Linux-Oem-5.14
Linux-Oem-5.17
Linux-Oem-5.6
Linux-Oem-6.0
Linux-Oem-6.1
Linux-Oem-6.11
Linux-Oem-6.14
Linux-Oem-6.17
Linux-Oem-6.5
Linux-Oem-6.8
Linux-Oracle
Linux-Oracle-5.0
Linux-Oracle-5.11
Linux-Oracle-5.13
Linux-Oracle-5.3
Linux-Oracle-5.8
Linux-Oracle-6.14
Linux-Oracle-6.17
Linux-Oracle-6.5
Linux-Raspi
Linux-Raspi-Realtime
Linux-Raspi2
Linux-Realtime
Linux-Realtime-6.14
Linux-Realtime-6.17
Linux-Riscv
Linux-Riscv-5.11
Linux-Riscv-5.19
Linux-Riscv-5.8
Linux-Riscv-6.14
Linux-Riscv-6.17
Linux-Riscv-6.5
Linux-Starfive-5.19
Linux-Starfive-6.2
Linux-Starfive-6.5
Linux Kernel