Description
In the Linux kernel, the following vulnerability has been resolved:

RDMA/umem: Fix double dma_buf_unpin in failure path

In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to
ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf
is immediately unpinned but the umem_dmabuf->pinned flag is still
set. Then, when ib_umem_release() is called, it calls
ib_umem_dmabuf_revoke() which will call dma_buf_unpin() again.

Fix this by removing the immediate unpin upon failure and just let
the ib_umem_release/revoke path handle it. This also ensures the
proper unmap-unpin unwind ordering if the dmabuf_map_pages call
happened to fail due to dma_resv_wait_timeout (and therefore has
a non-NULL umem_dmabuf->sgt).
Published: 2026-05-06
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug causes the RDMA umem subsystem to unpin a DMA buffer twice when a mapping failure occurs. The first unpin is performed immediately on failure but the internal pinned flag remains set. When the buffer is released later, a second unpin is attempted, which may disrupt kernel memory management and lead to kernel instability. The description does not mention a crash or data corruption, so while the precise impact is uncertain, the double unpin could result in improper resource cleanup.

Affected Systems

All Linux kernels that include the RDMA umem code path prior to the series of commits that address the double‑unpin condition are potentially affected. Versions older than the patched revisions (identified by the provided commit hashes) are at risk. No explicit version range is listed, so any system running a pre‑patched kernel should consider this issue.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, while the EPSS score is below 1%, suggesting a very low probability of exploitation. Because the double‑unpin occurs only when the RDMA umem mapping fails, an attacker would need to trigger that failure, implying a local or privileged context. Based on the description, it is inferred that the attack vector is likely local or requires elevated privileges; no remote execution is indicated. The vulnerability is not listed in the CISA KEV catalog, meaning no known active exploitation exists.

Generated by OpenCVE AI on May 8, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Linux kernel update that includes the relevant commits to eliminate the double unpin situation.
  • If an immediate kernel upgrade is not possible, disable RDMA‑related modules (such as ib_umem and ib_core) or services that use RDMA to prevent the mapping path from being exercised.
  • After applying the patch or disabling RDMA, monitor kernel logs for anomalies related to dma_buf_unpin or related errors.

Generated by OpenCVE AI on May 8, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 07 May 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 06 May 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: RDMA/umem: Fix double dma_buf_unpin in failure path In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf is immediately unpinned but the umem_dmabuf->pinned flag is still set. Then, when ib_umem_release() is called, it calls ib_umem_dmabuf_revoke() which will call dma_buf_unpin() again. Fix this by removing the immediate unpin upon failure and just let the ib_umem_release/revoke path handle it. This also ensures the proper unmap-unpin unwind ordering if the dmabuf_map_pages call happened to fail due to dma_resv_wait_timeout (and therefore has a non-NULL umem_dmabuf->sgt).
Title RDMA/umem: Fix double dma_buf_unpin in failure path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:18:17.976Z

Reserved: 2026-05-01T14:12:55.988Z

Link: CVE-2026-43128

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:29.837

Modified: 2026-05-08T17:52:13.233

Link: CVE-2026-43128

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43128 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T19:45:15Z

Weaknesses