Description
In the Linux kernel, the following vulnerability has been resolved:

x86-64: rename misleadingly named '__copy_user_nocache()' function

This function was a masterclass in bad naming, for various historical
reasons.

It claimed to be a non-cached user copy. It is literally _neither_ of
those things. It's a specialty memory copy routine that uses
non-temporal stores for the destination (but not the source), and that
does exception handling for both source and destination accesses.

Also note that while it works for unaligned targets, any unaligned parts
(whether at beginning or end) will not use non-temporal stores, since
only words and quadwords can be non-temporal on x86.

The exception handling means that it _can_ be used for user space
accesses, but not on its own - it needs all the normal "start user space
access" logic around it.

But typically the user space access would be the source, not the
non-temporal destination. That was the original intention of this,
where the destination was some fragile persistent memory target that
needed non-temporal stores in order to catch machine check exceptions
synchronously and deal with them gracefully.

Thus that non-descriptive name: one use case was to copy from user space
into a non-cached kernel buffer. However, the existing users are a mix
of that intended use-case, and a couple of random drivers that just did
this as a performance tweak.

Some of those random drivers then actively misused the user copying
version (with STAC/CLAC and all) to do kernel copies without ever even
caring about the exception handling, _just_ for the non-temporal
destination.

Rename it as a first small step to actually make it halfway sane, and
change the prototype to be more normal: it doesn't take a user pointer
unless the caller has done the proper conversion, and the argument size
is the full size_t (it still won't actually copy more than 4GB in one
go, but there's also no reason to silently truncate the size argument in
the caller).

Finally, use this now sanely named function in the NTB code, which
mis-used a user copy version (with STAC/CLAC and all) of this interface
despite it not actually being a user copy at all.
Published: 2026-05-05
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel contained a helper named __copy_user_nocache that was a misnomer; it actually performed non‑temporal stores and handled exceptions for both source and destination, but it did not enforce the proper user‑space access checks that a real "copy_user" function would require, constituting an instance of CWE-440: improper restriction on usage of a function. Drivers had been using this routine for various purposes, including performance tweaks and copying from user space into special kernel buffers, without guaranteeing that the source data was trusted or that bounds were respected. The rename and prototype change add proper restrictions to the function, but until the patch is applied or the code is reviewed, code paths that call the routine could inadvertently perform unsafe kernel copies.

Affected Systems

All Linux kernel releases that include the __copy_user_nocache helper are affected, which comprises the current and older mainstream kernels until the patch is merged. Users of any distribution running an unpatched kernel should assume that the function is present and may be misused by device drivers or kernel modules that call it directly.

Risk and Exploitability

No remote exploitation path is documented in the CVE entry, and the EPSS score is less than 1 %, indicating no widespread known exploitation. The CVSS score of 5.5 reflects a moderate potential impact if a driver incorrectly invokes the helper; however, the risk is largely limited to kernel stability and correctness rather than a high‑severity security flaw. The vulnerability is not listed in the CISA KEV catalog, further supporting that it is not currently actively exploited.

Generated by OpenCVE AI on May 26, 2026 at 15:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that renames the function and confines its use to contexts that already performed the appropriate user‑space access checks.
  • Audit and modify any device drivers or kernel modules that invoke __copy_user_nocache(), replacing the call with safe copying primitives such as copy_from_user(), copy_to_user(), or memcpy() with proper validation.
  • If a driver’s logic depends on the old behaviour for non‑temporal stores, update the driver to use the corrected routine after applying the patch or disable the driver until it can be verified to honour the new restrictions.

Generated by OpenCVE AI on May 26, 2026 at 15:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:4.2:-:*:*:*:*:*:*

Wed, 06 May 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-29

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-440
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Tue, 05 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-29

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: x86-64: rename misleadingly named '__copy_user_nocache()' function This function was a masterclass in bad naming, for various historical reasons. It claimed to be a non-cached user copy. It is literally _neither_ of those things. It's a specialty memory copy routine that uses non-temporal stores for the destination (but not the source), and that does exception handling for both source and destination accesses. Also note that while it works for unaligned targets, any unaligned parts (whether at beginning or end) will not use non-temporal stores, since only words and quadwords can be non-temporal on x86. The exception handling means that it _can_ be used for user space accesses, but not on its own - it needs all the normal "start user space access" logic around it. But typically the user space access would be the source, not the non-temporal destination. That was the original intention of this, where the destination was some fragile persistent memory target that needed non-temporal stores in order to catch machine check exceptions synchronously and deal with them gracefully. Thus that non-descriptive name: one use case was to copy from user space into a non-cached kernel buffer. However, the existing users are a mix of that intended use-case, and a couple of random drivers that just did this as a performance tweak. Some of those random drivers then actively misused the user copying version (with STAC/CLAC and all) to do kernel copies without ever even caring about the exception handling, _just_ for the non-temporal destination. Rename it as a first small step to actually make it halfway sane, and change the prototype to be more normal: it doesn't take a user pointer unless the caller has done the proper conversion, and the argument size is the full size_t (it still won't actually copy more than 4GB in one go, but there's also no reason to silently truncate the size argument in the caller). Finally, use this now sanely named function in the NTB code, which mis-used a user copy version (with STAC/CLAC and all) of this interface despite it not actually being a user copy at all.
Title x86-64: rename misleadingly named '__copy_user_nocache()' function
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:17:11.830Z

Reserved: 2026-05-01T14:12:55.982Z

Link: CVE-2026-43073

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T16:16:16.650

Modified: 2026-05-22T14:55:58.977

Link: CVE-2026-43073

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-05T00:00:00Z

Links: CVE-2026-43073 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T15:30:08Z

Weaknesses