HOMEVULNERABILITIESCVE-2026-43121
MEDIUM

CVE-2026-43121

Published: May 6, 2026· Updated: May 12, 2026

4.7
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:4.1th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

io_uring/zcrx: fix user_ref race between scrub and refill paths

The io_zcrx_put_niov_uref() function uses a non-atomic

check-then-decrement pattern (atomic_read followed by separate

atomic_dec) to manipulate user_refs. This is serialized against other

callers by rq_lock, but io_zcrx_scrub() modifies the same counter with

atomic_xchg() WITHOUT holding rq_lock.

On SMP systems, the following race exists:

CPU0 (refill, holds rq_lock) CPU1 (scrub, no rq_lock)

put_niov_uref:

atomic_read(uref) - 1

// window opens

atomic_xchg(uref, 0) - 1

return_niov_freelist(niov) [PUSH #1]

// window closes

atomic_dec(uref) - wraps to -1

returns true

return_niov(niov)

return_niov_freelist(niov) [PUSH #2: DOUBLE-FREE]

The same niov is pushed to the freelist twice, causing free_count to

exceed nr_iovs. Subsequent freelist pushes then perform an out-of-bounds

write (a u32 value) past the kvmalloc'd freelist array into the adjacent

slab object.

Fix this by replacing the non-atomic read-then-dec in

io_zcrx_put_niov_uref() with an atomic_try_cmpxchg loop that atomically

tests and decrements user_refs. This makes the operation safe against

concurrent atomic_xchg from scrub without requiring scrub to acquire

rq_lock.

[pavel: removed a warning and a comment]

NVD Source

Technical Analysis

CVE-2026-43121 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 4.7.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityHigh
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 1 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (3)

Quick Facts

CVE IDCVE-2026-43121
CVSS Score4.7 / 10
SeverityMEDIUM
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedMay 6, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43121 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.