Description
In the Linux kernel, the following vulnerability has been resolved:

io_uring/zcrx: fix post open error handling

Closing a queue doesn't guarantee that all associated page pools are
terminated right away, let the refcounting do the work instead of
releasing the zcrx ctx directly.
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s io_uring zcrx implementation contains a flaw that occurs when a queue is closed without guaranteeing that all related page pools are terminated immediately. The commit that fixed the issue, referenced in the advisory, indicates that the current logic releases the zcrx context directly instead of letting reference counting conclude, leaving dangling references. Based on the description, it is inferred that this omission can lead to use‑after‑free or other memory corruption, potentially causing a kernel panic or denial of service if an attacker can trigger the erroneous cleanup.

Affected Systems

All Linux distributions that run a kernel build before the inclusion of the fix in commit 18afaff077b46655a8eb6fd7f6de1b81327be577. No specific distribution or kernel release is enumerated in the advisory, so any older kernel that contains the before‑fix code is considered vulnerable.

Risk and Exploitability

The CVSS score is 5.5 and the EPSS score is less than 1 %, indicating moderate severity and a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, so there are no known active attacks. Nevertheless, if an attacker can trigger the erroneous cleanup in io_uring zcrx, it could lead to a kernel panic or denial of service via a use‑after‑free or related memory corruption.

Generated by OpenCVE AI on May 12, 2026 at 22:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that includes commit 18afaff077b46655a8eb6fd7f6de1b81327be577, which corrects the post‑open error handling in io_uring zcrx.
  • If a kernel upgrade cannot be performed immediately, avoid using interfaces that expose io_uring zcrx in environments where untrusted code can open and close queues until the patch is applied.
  • Monitor kernel logs for signs of page pool deallocations or crash backtraces that could indicate exploitation attempts.

Generated by OpenCVE AI on May 12, 2026 at 22:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 07 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References

Wed, 06 May 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix post open error handling Closing a queue doesn't guarantee that all associated page pools are terminated right away, let the refcounting do the work instead of releasing the zcrx ctx directly.
Title io_uring/zcrx: fix post open error handling
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:19:13.127Z

Reserved: 2026-05-01T14:12:55.991Z

Link: CVE-2026-43174

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:35.850

Modified: 2026-05-12T20:01:34.590

Link: CVE-2026-43174

cve-icon Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43174 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:00:12Z

Weaknesses