CVE-2026-43128 - Vulnerability Details

- RDMA/umem: Fix double dma_buf_unpin in failure path

Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/umem: Fix double dma_buf_unpin in failure path

In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to
ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf
is immediately unpinned but the umem_dmabuf->pinned flag is still
set. Then, when ib_umem_release() is called, it calls
ib_umem_dmabuf_revoke() which will call dma_buf_unpin() again.

Fix this by removing the immediate unpin upon failure and just let
the ib_umem_release/revoke path handle it. This also ensures the
proper unmap-unpin unwind ordering if the dmabuf_map_pages call
happened to fail due to dma_resv_wait_timeout (and therefore has
a non-NULL umem_dmabuf->sgt).

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The bug causes the RDMA umem subsystem to unpin a DMA buffer twice when a mapping failure occurs. The first unpin is performed immediately on failure, but the internal flag is left set. When the buffer is released later, the system attempts to unpin it again, resulting in a double‑unpin operation. Because the description does not indicate any crash or data corruption, the impact remains uncertain; the double unpin may lead to resource mis‑management or kernel instability under certain conditions.

Affected Systems

All Linux kernels that include the RDMA umem code path prior to the series of commits that address the double‑unpin condition are potentially affected. Versions older than the patched revisions (identified by the provided commit hashes) are at risk. No explicit version range is listed, so any system running a pre‑patched kernel should consider this issue.

Risk and Exploitability

The CVSS and EPSS information is not available, so overall risk assessment is limited. The bug manifests when a RDMA buffer mapping fails, requiring an attacker to trigger that failure path; this suggests a local context. Since no public exploitation is known, the likelihood of exploitation is uncertain. The fact that the vulnerability is not listed in the CISA KEV catalog indicates no known, active exploitation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1e4df4a21c5ac722df1099eee30cad9246c889b5`	affected	< 70542b69abff34d24b11ae0bb200cc7a766d18df
`1e4df4a21c5ac722df1099eee30cad9246c889b5`	affected	< b324327ff6f48d8065dca67eb3b91357e72726bd
`1e4df4a21c5ac722df1099eee30cad9246c889b5`	affected	< ba3bf0f1bf1d5d0404678485e872980532fcc2c4
`1e4df4a21c5ac722df1099eee30cad9246c889b5`	affected	< d3e32e2f3262f1b25d77c085ace38e2cc4ad75cf
`1e4df4a21c5ac722df1099eee30cad9246c889b5`	affected	< 40126bcbefa79ea86672e05dae608596bab38319
`1e4df4a21c5ac722df1099eee30cad9246c889b5`	affected	< 104016eb671e19709721c1b0048dd912dc2e96be

Linux

affected

Version	Status	Constraints
`5.16`	affected	—
`0`	unaffected	< 5.16
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1e4df4a21c5ac722df1099eee30cad9246c889b5,70542b69abff34d24b11ae0bb200cc7a766d18df)`	affected	code_commit	—
`[1e4df4a21c5ac722df1099eee30cad9246c889b5,b324327ff6f48d8065dca67eb3b91357e72726bd)`	affected	code_commit	—
`[1e4df4a21c5ac722df1099eee30cad9246c889b5,ba3bf0f1bf1d5d0404678485e872980532fcc2c4)`	affected	code_commit	—
`[1e4df4a21c5ac722df1099eee30cad9246c889b5,d3e32e2f3262f1b25d77c085ace38e2cc4ad75cf)`	affected	code_commit	—
`[1e4df4a21c5ac722df1099eee30cad9246c889b5,40126bcbefa79ea86672e05dae608596bab38319)`	affected	code_commit	—
`[1e4df4a21c5ac722df1099eee30cad9246c889b5,104016eb671e19709721c1b0048dd912dc2e96be)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.16`	affected	generic	—
`[0,5.16)`	unaffected	generic	—
`[0,6.1.*]`	unaffected	generic	—
`[0,6.6.*]`	unaffected	generic	—
`[0,6.12.*]`	unaffected	generic	—
`[0,6.18.*]`	unaffected	generic	—
`[0,6.19.*]`	unaffected	generic	—
`[0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Linux kernel update that includes the relevant commits to eliminate the double unpin situation.
If an immediate kernel upgrade is not possible, disable RDMA-related modules (such as ib_umem and ib_core) or services that use RDMA to prevent the mapping path from being exercised.
After applying the patch or disabling RDMA, monitor kernel logs for anomalies related to dma_buf_unpin or related errors.

Generated by OpenCVE AI on May 6, 2026 at 16:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/104016eb671e19709721c1b0048dd912dc2e96be
https://git.kernel.org/stable/c/40126bcbefa79ea86672e05dae608596bab38319
https://git.kernel.org/stable/c/70542b69abff34d24b11ae0bb200cc7a766d18df
https://git.kernel.org/stable/c/b324327ff6f48d8065dca67eb3b91357e72726bd
https://git.kernel.org/stable/c/ba3bf0f1bf1d5d0404678485e872980532fcc2c4
https://git.kernel.org/stable/c/d3e32e2f3262f1b25d77c085ace38e2cc4ad75cf

History

Wed, 06 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-415

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: RDMA/umem: Fix double dma_buf_unpin in failure path In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf is immediately unpinned but the umem_dmabuf->pinned flag is still set. Then, when ib_umem_release() is called, it calls ib_umem_dmabuf_revoke() which will call dma_buf_unpin() again. Fix this by removing the immediate unpin upon failure and just let the ib_umem_release/revoke path handle it. This also ensures the proper unmap-unpin unwind ordering if the dmabuf_map_pages call happened to fail due to dma_resv_wait_timeout (and therefore has a non-NULL umem_dmabuf->sgt).
Title		RDMA/umem: Fix double dma_buf_unpin in failure path
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/104016eb671e19709721c1b0048dd912dc2e96be https://git.kernel.org/stable/c/40126bcbefa79ea86672e05dae608596bab38319 https://git.kernel.org/stable/c/70542b69abff34d24b11ae0bb200cc7a766d18df https://git.kernel.org/stable/c/b324327ff6f48d8065dca67eb3b91357e72726bd https://git.kernel.org/stable/c/ba3bf0f1bf1d5d0404678485e872980532fcc2c4 https://git.kernel.org/stable/c/d3e32e2f3262f1b25d77c085ace38e2cc4ad75cf

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:17.474Z

Updated: 2026-05-06T11:27:17.474Z

Reserved: 2026-05-01T14:12:55.988Z

Link: CVE-2026-43128

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:29.837

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43128

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T16:45:07Z

Weaknesses

CWE-415

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object