Description
In the Linux kernel, the following vulnerability has been resolved:

hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf

netvsc_copy_to_send_buf() copies page buffer entries into the VMBus
send buffer using phys_to_virt() on the entry PFN. Entries for the
RNDIS header and the skb linear data come from kmalloc'd memory and
are always in the kernel direct map, but entries for skb fragments
reference page cache or user pages, which on 32-bit x86 with
CONFIG_HIGHMEM=y can live above the LOWMEM boundary. For such a page
phys_to_virt() returns an address outside the direct map and the
subsequent memcpy() faults on the transmit softirq path, which is
fatal.

Map the pages with kmap_local_page() instead, handling two properties
of the page buffer entries:

- pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity,
not a native PFN. Reconstruct the physical address first and derive
the native page from it, so the mapping stays correct where
PAGE_SIZE > HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages).

- Since commit 41a6328b2c55 ("hv_netvsc: Preserve contiguous PFN
grouping in the page buffer array"), an entry describes a full
physically contiguous fragment and pb[i].len can exceed PAGE_SIZE,
while kmap_local_page() maps a single page. Copy page by page,
splitting at native page boundaries.

The copy path only handles packets smaller than the send section size
(6144 bytes by default); larger packets take the cp_partial path where
only the RNDIS header is copied. So entries here are bounded by the
section size and a copy is split at most once on 4K-page systems. On
!CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and
no mapping work is added.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an improper use of phys_to_virt to map Hyper‑V page buffer entries that reference high‑memory pages on 32‑bit x86 systems with CONFIG_HIGHMEM. When a packet containing a skb fragment points to a high‑memory page, phys_to_virt returns an address outside the direct map. Subsequent memcpy on that address faults on the transmit softirq path, causing a kernel panic. The bug does not enable arbitrary code execution but leads to a local or remote service disruption, as a single packet that triggers the fault will crash the host kernel. The weakness can be classified as a memory‑access error that results in kernel panic.

Affected Systems

The issue affects Linux kernel builds that provide the hv_netvsc driver for Hyper‑V virtual network interfaces. Systems running a 32‑bit x86 kernel with CONFIG_HIGHMEM enabled and transmitting packets that include skb fragments are susceptible. The patch addresses the page mapping logic for all architectures that support Hyper‑V, including arm64, but the failure scenario is most common on x86 with high‑memory pages.

Risk and Exploitability

The CVSS score is not provided, and EPSS is not available, so the precise exploitation probability cannot be quantified. The vulnerability is not listed in CISA’s KEV catalog. The attack requires that the victim host receives a network packet over the Hyper‑V netvsc interface that contains a fragment referencing a high‑memory page exceeding the send‑section size of 6144 bytes. An attacker who can force such traffic will cause a kernel panic, resulting in a denial of service. The impact is limited to the affected host; no remote code execution is possible.

Generated by OpenCVE AI on June 25, 2026 at 10:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that contains the commit which replaces phys_to_virt with kmap_local_page in netvsc_copy_to_send_buf.
  • Limit the size of transmitted packets over Hyper‑V netvsc to the default send‑section size of 6144 bytes (or enable the cp_partial path by using smaller frames).
  • If a kernel update is not immediately feasible, disable the CONFIG_HIGHMEM option on 32‑bit x86 systems or migrate the host to a different network driver that does not use the vulnerable path.

Generated by OpenCVE AI on June 25, 2026 at 10:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-125

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf netvsc_copy_to_send_buf() copies page buffer entries into the VMBus send buffer using phys_to_virt() on the entry PFN. Entries for the RNDIS header and the skb linear data come from kmalloc'd memory and are always in the kernel direct map, but entries for skb fragments reference page cache or user pages, which on 32-bit x86 with CONFIG_HIGHMEM=y can live above the LOWMEM boundary. For such a page phys_to_virt() returns an address outside the direct map and the subsequent memcpy() faults on the transmit softirq path, which is fatal. Map the pages with kmap_local_page() instead, handling two properties of the page buffer entries: - pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity, not a native PFN. Reconstruct the physical address first and derive the native page from it, so the mapping stays correct where PAGE_SIZE > HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages). - Since commit 41a6328b2c55 ("hv_netvsc: Preserve contiguous PFN grouping in the page buffer array"), an entry describes a full physically contiguous fragment and pb[i].len can exceed PAGE_SIZE, while kmap_local_page() maps a single page. Copy page by page, splitting at native page boundaries. The copy path only handles packets smaller than the send section size (6144 bytes by default); larger packets take the cp_partial path where only the RNDIS header is copied. So entries here are bounded by the section size and a copy is split at most once on 4K-page systems. On !CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and no mapping work is added.
Title hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:08.320Z

Reserved: 2026-06-09T07:44:35.391Z

Link: CVE-2026-53199

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T11:00:11Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-125

    Out-of-bounds Read