CVE-2026-43073 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

x86-64: rename misleadingly named '__copy_user_nocache()' function

This function was a masterclass in bad naming, for various historical
reasons.

It claimed to be a non-cached user copy. It is literally _neither_ of
those things. It's a specialty memory copy routine that uses
non-temporal stores for the destination (but not the source), and that
does exception handling for both source and destination accesses.

Also note that while it works for unaligned targets, any unaligned parts
(whether at beginning or end) will not use non-temporal stores, since
only words and quadwords can be non-temporal on x86.

The exception handling means that it _can_ be used for user space
accesses, but not on its own - it needs all the normal "start user space
access" logic around it.

But typically the user space access would be the source, not the
non-temporal destination. That was the original intention of this,
where the destination was some fragile persistent memory target that
needed non-temporal stores in order to catch machine check exceptions
synchronously and deal with them gracefully.

Thus that non-descriptive name: one use case was to copy from user space
into a non-cached kernel buffer. However, the existing users are a mix
of that intended use-case, and a couple of random drivers that just did
this as a performance tweak.

Some of those random drivers then actively misused the user copying
version (with STAC/CLAC and all) to do kernel copies without ever even
caring about the exception handling, _just_ for the non-temporal
destination.

Rename it as a first small step to actually make it halfway sane, and
change the prototype to be more normal: it doesn't take a user pointer
unless the caller has done the proper conversion, and the argument size
is the full size_t (it still won't actually copy more than 4GB in one
go, but there's also no reason to silently truncate the size argument in
the caller).

Finally, use this now sanely named function in the NTB code, which
mis-used a user copy version (with STAC/CLAC and all) of this interface
despite it not actually being a user copy at all.

Published: 2026-05-05

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel includes a function that was deliberately mislabeled as a non‑cached user copy routine. In reality it performs a non‑temporal store into the destination while handling exceptions for both source and destination accesses. Because the function does not enforce proper user‑space access control and may be called by drivers without preceding the necessary "start user space" checks, it can be misused to perform kernel‑space memory copies originating from untrusted user data. This misuse removes critical bounds checks and exception handling, creating a path for arbitrary kernel memory writes or silent crashes when the source or destination triggers a page fault or machine‑check exception. The result is potential kernel corruption, panic, or denial of service. Affected systems All Linux kernel builds that contain the __copy_user_nocache function are potentially impacted. The vulnerability exists before any official patch is applied, and the specific kernel versions are not listed in the data. Linux kernel users on any distribution should treat all kernels that have not applied the rename and protection changes as vulnerable. Risk and exploitability The issue does not appear to be remotely exploitable from user space alone; it requires a driver or privileged process that calls the misnamed routine. The CVSS score is not provided, and EPSS data is unavailable, indicating limited evidence of active exploitation. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread exploitation as of the current data. Nonetheless, any code path that calls this function without proper user‑access validation gives privileged code a direct avenue to corrupt kernel memory, making this a high‑severity local privilege escalation or abort scenario.

Affected Systems

All Linux kernel builds that contain the __copy_user_nocache function are potentially impacted. The vulnerability exists before any official patch is applied, and the specific kernel versions are not listed in the data. Linux kernel users on any distribution should treat all kernels that have not applied the rename and protection changes as vulnerable.

Risk and Exploitability

The issue does not appear to be remotely exploitable from user space alone; it requires a driver or privileged process that calls the misnamed routine. The CVSS score is not provided, and EPSS data is unavailable, indicating limited evidence of active exploitation. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread exploitation as of the current data. Nonetheless, any code path that calls this function without proper user‑access validation gives privileged code a direct avenue to corrupt kernel memory, making this a high‑severity local privilege escalation or abort scenario.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 14b9194db4a28421a4dbe5d6e519efbaa7c5f3cd
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< c6d4e0599e7e73abc04e2488dfeb7940c4039660
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d993e1723aa2a085aa0d72e70ea889031fc225b4
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< efea91ad1729ff1853d7418e4d3bc27d085e72d0
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d187a86de793f84766ea40b9ade7ac60aabbb4fe

Linux

affected

Version	Status	Constraints
`6.12.83`	unaffected	≤ 6.12.*
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0.1`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,14b9194db4a28421a4dbe5d6e519efbaa7c5f3cd)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,c6d4e0599e7e73abc04e2488dfeb7940c4039660)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d993e1723aa2a085aa0d72e70ea889031fc225b4)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,efea91ad1729ff1853d7418e4d3bc27d085e72d0)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d187a86de793f84766ea40b9ade7ac60aabbb4fe)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.12.83,7.0.0)`	unaffected	semver	—
`[6.18.24,6.19.0)`	unaffected	semver	—
`[6.19.14,6.20.0)`	unaffected	semver	—
`[7.0.1,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that renames the function and restricts its use to contexts that have performed proper user‑space access checks.
Modify any drivers that call '__copy_user_nocache()' to use safe copying helpers such as copy_from_user or memcpy with correct source/destination validation.
Remove or disable any driver implementations that misuse the function for performance tweaks or unprotected kernel copies.

Generated by OpenCVE AI on May 5, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/14b9194db4a28421a4dbe5d6e519efbaa7c5f3cd
https://git.kernel.org/stable/c/c6d4e0599e7e73abc04e2488dfeb7940c4039660
https://git.kernel.org/stable/c/d187a86de793f84766ea40b9ade7ac60aabbb4fe
https://git.kernel.org/stable/c/d993e1723aa2a085aa0d72e70ea889031fc225b4
https://git.kernel.org/stable/c/efea91ad1729ff1853d7418e4d3bc27d085e72d0

History

Tue, 05 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20 CWE-29

Tue, 05 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: x86-64: rename misleadingly named '__copy_user_nocache()' function This function was a masterclass in bad naming, for various historical reasons. It claimed to be a non-cached user copy. It is literally _neither_ of those things. It's a specialty memory copy routine that uses non-temporal stores for the destination (but not the source), and that does exception handling for both source and destination accesses. Also note that while it works for unaligned targets, any unaligned parts (whether at beginning or end) will not use non-temporal stores, since only words and quadwords can be non-temporal on x86. The exception handling means that it _can_ be used for user space accesses, but not on its own - it needs all the normal "start user space access" logic around it. But typically the user space access would be the source, not the non-temporal destination. That was the original intention of this, where the destination was some fragile persistent memory target that needed non-temporal stores in order to catch machine check exceptions synchronously and deal with them gracefully. Thus that non-descriptive name: one use case was to copy from user space into a non-cached kernel buffer. However, the existing users are a mix of that intended use-case, and a couple of random drivers that just did this as a performance tweak. Some of those random drivers then actively misused the user copying version (with STAC/CLAC and all) to do kernel copies without ever even caring about the exception handling, _just_ for the non-temporal destination. Rename it as a first small step to actually make it halfway sane, and change the prototype to be more normal: it doesn't take a user pointer unless the caller has done the proper conversion, and the argument size is the full size_t (it still won't actually copy more than 4GB in one go, but there's also no reason to silently truncate the size argument in the caller). Finally, use this now sanely named function in the NTB code, which mis-used a user copy version (with STAC/CLAC and all) of this interface despite it not actually being a user copy at all.
Title		x86-64: rename misleadingly named '__copy_user_nocache()' function
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/14b9194db4a28421a4dbe5d6e519efbaa7c5f3cd https://git.kernel.org/stable/c/c6d4e0599e7e73abc04e2488dfeb7940c4039660 https://git.kernel.org/stable/c/d187a86de793f84766ea40b9ade7ac60aabbb4fe https://git.kernel.org/stable/c/d993e1723aa2a085aa0d72e70ea889031fc225b4 https://git.kernel.org/stable/c/efea91ad1729ff1853d7418e4d3bc27d085e72d0

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-05T15:29:29.510Z

Updated: 2026-05-05T15:29:29.510Z

Reserved: 2026-05-01T14:12:55.982Z

Link: CVE-2026-43073

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-05T16:16:16.650

Modified: 2026-05-05T16:16:16.650

Link: CVE-2026-43073

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-05T18:15:29Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object