Description
In the Linux kernel, the following vulnerability has been resolved:

io_uring/zcrx: fix user_ref race between scrub and refill paths

The io_zcrx_put_niov_uref() function uses a non-atomic
check-then-decrement pattern (atomic_read followed by separate
atomic_dec) to manipulate user_refs. This is serialized against other
callers by rq_lock, but io_zcrx_scrub() modifies the same counter with
atomic_xchg() WITHOUT holding rq_lock.

On SMP systems, the following race exists:

CPU0 (refill, holds rq_lock) CPU1 (scrub, no rq_lock)
put_niov_uref:
atomic_read(uref) - 1
// window opens
atomic_xchg(uref, 0) - 1
return_niov_freelist(niov) [PUSH #1]
// window closes
atomic_dec(uref) - wraps to -1
returns true
return_niov(niov)
return_niov_freelist(niov) [PUSH #2: DOUBLE-FREE]

The same niov is pushed to the freelist twice, causing free_count to
exceed nr_iovs. Subsequent freelist pushes then perform an out-of-bounds
write (a u32 value) past the kvmalloc'd freelist array into the adjacent
slab object.

Fix this by replacing the non-atomic read-then-dec in
io_zcrx_put_niov_uref() with an atomic_try_cmpxchg loop that atomically
tests and decrements user_refs. This makes the operation safe against
concurrent atomic_xchg from scrub without requiring scrub to acquire
rq_lock.

[pavel: removed a warning and a comment]
Published: 2026-05-06
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, a race condition in the Linux kernel’s io_uring zcrx subsystem allows concurrent execution of the scrub and refill paths to double‑free a buffer structure. The double free causes the buffer’s reference counter to wrap to –1, and subsequent freelist pushes write a 32‑bit value past the allocated array into adjacent kernel memory. This out‑of‑bounds write corrupts kernel data structures and, based on the typical impact of kernel memory corruption, it is inferred that an attacker could gain elevated privileges by executing arbitrary code in supervisor mode.

Affected Systems

All Linux kernels that include the io_uring zcrx implementation and have not yet incorporated the patch referenced in the provided commit URLs. No specific version numbers are listed, so any kernel prior to the fix is considered vulnerable.

Risk and Exploitability

Although the CVSS score is not published, the kernel memory corruption described is a high‑severity fault. No publicly confirmed exploits are listed. The feature is only exposed through the io_uring interface, so limited to workloads that use io_uring. Based on the description, it is inferred that the out‑of‑bounds write could lead to arbitrary kernel code execution, making the risk substantial for affected systems. The vulnerability is not listed in CISA’s KEV catalog, indicating no known large‑scale exploitation yet.

Generated by OpenCVE AI on May 7, 2026 at 05:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel update that contains the commit fixing the io_uring race condition.
  • If upgrading is currently infeasible, disable or restrict the use of io_uring (or the zcrx feature) on the affected systems.
  • Enable kernel hardening features such as SELinux, KASLR, and memory protection mechanisms to reduce the chance of successful exploitation.

Generated by OpenCVE AI on May 7, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 04:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-362
CWE-415

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-366
References

Wed, 06 May 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-362
CWE-415

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix user_ref race between scrub and refill paths The io_zcrx_put_niov_uref() function uses a non-atomic check-then-decrement pattern (atomic_read followed by separate atomic_dec) to manipulate user_refs. This is serialized against other callers by rq_lock, but io_zcrx_scrub() modifies the same counter with atomic_xchg() WITHOUT holding rq_lock. On SMP systems, the following race exists: CPU0 (refill, holds rq_lock) CPU1 (scrub, no rq_lock) put_niov_uref: atomic_read(uref) - 1 // window opens atomic_xchg(uref, 0) - 1 return_niov_freelist(niov) [PUSH #1] // window closes atomic_dec(uref) - wraps to -1 returns true return_niov(niov) return_niov_freelist(niov) [PUSH #2: DOUBLE-FREE] The same niov is pushed to the freelist twice, causing free_count to exceed nr_iovs. Subsequent freelist pushes then perform an out-of-bounds write (a u32 value) past the kvmalloc'd freelist array into the adjacent slab object. Fix this by replacing the non-atomic read-then-dec in io_zcrx_put_niov_uref() with an atomic_try_cmpxchg loop that atomically tests and decrements user_refs. This makes the operation safe against concurrent atomic_xchg from scrub without requiring scrub to acquire rq_lock. [pavel: removed a warning and a comment]
Title io_uring/zcrx: fix user_ref race between scrub and refill paths
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:27:08.216Z

Reserved: 2026-05-01T14:12:55.987Z

Link: CVE-2026-43121

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:28.950

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43121

cve-icon Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43121 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T06:00:16Z

Weaknesses