Skip to main content

Linux Kernel CVE-2026-43128

| EUVDEUVD-2026-27691 HIGH
Double Free (CWE-415)
2026-05-06 Linux GHSA-6g84-hfm2-x43x
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:30 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

RDMA/umem: Fix double dma_buf_unpin in failure path

In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf is immediately unpinned but the umem_dmabuf->pinned flag is still set. Then, when ib_umem_release() is called, it calls ib_umem_dmabuf_revoke() which will call dma_buf_unpin() again.

Fix this by removing the immediate unpin upon failure and just let the ib_umem_release/revoke path handle it. This also ensures the proper unmap-unpin unwind ordering if the dmabuf_map_pages call happened to fail due to dma_resv_wait_timeout (and therefore has a non-NULL umem_dmabuf->sgt).

AnalysisAI

Double-free vulnerability in Linux kernel RDMA subsystem allows local authenticated attackers to trigger high-severity memory corruption. The flaw in ib_umem_dmabuf_get_pinned_with_dma_device() causes dma_buf_unpin() to be called twice on error paths - once immediately on failure and again during cleanup - enabling potential privilege escalation, system crashes, or information disclosure. Patches available for kernels 6.1.165+, 6.6.128+, 6.12.75+, 6.18.16+, 6.19.6+, and 7.0+. EPSS score of 0.02% indicates low widespread exploitation probability, with no active exploitation or public POCs identified at time of analysis.

Technical ContextAI

This vulnerability affects the Linux kernel's RDMA (Remote Direct Memory Access) user memory management subsystem, specifically the DMA-BUF pinning mechanism used for zero-copy memory operations between devices. The flaw exists in ib_umem_dmabuf_get_pinned_with_dma_device() where failure in ib_umem_dmabuf_map_pages() triggers an immediate dma_buf_unpin() call while leaving the umem_dmabuf->pinned flag set to true. Subsequently, when ib_umem_release() executes its normal cleanup via ib_umem_dmabuf_revoke(), it encounters the pinned flag still set and calls dma_buf_unpin() a second time on the same buffer. This double-free condition violates kernel memory management invariants and can corrupt DMA buffer reference counts. The vulnerability stems from improper error handling in cleanup paths, a pattern related to use-after-free and double-free classes of memory safety issues. Affected CPE strings identify this as impacting Linux kernel RDMA components across multiple stable kernel branches since the dmabuf pinning feature was introduced in kernel 5.16 (commit 1e4df4a21c5a).

RemediationAI

Apply vendor patches immediately for systems using RDMA hardware or InfiniBand: upgrade to Linux kernel 6.1.165+, 6.6.128+, 6.12.75+, 6.18.16+, 6.19.6+, or 7.0+ depending on your stable branch. Patch commits are available from git.kernel.org stable tree (links provided in references section). If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Disable RDMA user-space memory registration by setting kernel parameter 'rdma.disable_user_mem=1' - this breaks applications relying on InfiniBand verbs and RDMA-CM, including MPI libraries, Lustre clients, and NVMe-oF initiators; (2) Restrict access to /dev/infiniband/* device nodes to only essential service accounts via udev rules - reduces attack surface but does not prevent exploitation by compromised RDMA applications running as those accounts; (3) Deploy kernel memory corruption detection via CONFIG_KFENCE or CONFIG_KASAN on test systems to detect exploitation attempts - performance overhead makes this unsuitable for production. Verify patch application by checking kernel git commit hash matches the fixed versions listed in EUVD-2026-27691.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43128 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy