Skip to main content

Linux Kernel EUVDEUVD-2026-27378

| CVE-2026-43073 MEDIUM
2026-05-05 Linux GHSA-w93x-73ch-q28m
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 07, 2026 - 09:23 vuln.today
CVSS changed
Jun 07, 2026 - 09:22 NVD
5.5 (MEDIUM)
CVSS changed
Jun 07, 2026 - 09:22 NVD
5.5 (MEDIUM)
Patch available
May 05, 2026 - 17:31 EUVD
CVE Published
May 05, 2026 - 15:29 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

x86-64: rename misleadingly named '__copy_user_nocache()' function

This function was a masterclass in bad naming, for various historical reasons.

It claimed to be a non-cached user copy. It is literally _neither_ of those things. It's a specialty memory copy routine that uses non-temporal stores for the destination (but not the source), and that does exception handling for both source and destination accesses.

Also note that while it works for unaligned targets, any unaligned parts (whether at beginning or end) will not use non-temporal stores, since only words and quadwords can be non-temporal on x86.

The exception handling means that it _can_ be used for user space accesses, but not on its own - it needs all the normal "start user space access" logic around it.

But typically the user space access would be the source, not the non-temporal destination. That was the original intention of this, where the destination was some fragile persistent memory target that needed non-temporal stores in order to catch machine check exceptions synchronously and deal with them gracefully.

Thus that non-descriptive name: one use case was to copy from user space into a non-cached kernel buffer. However, the existing users are a mix of that intended use-case, and a couple of random drivers that just did this as a performance tweak.

Some of those random drivers then actively misused the user copying version (with STAC/CLAC and all) to do kernel copies without ever even caring about the exception handling, _just_ for the non-temporal destination.

Rename it as a first small step to actually make it halfway sane, and change the prototype to be more normal: it doesn't take a user pointer unless the caller has done the proper conversion, and the argument size is the full size_t (it still won't actually copy more than 4GB in one go, but there's also no reason to silently truncate the size argument in the caller).

Finally, use this now sanely named function in the NTB code, which mis-used a user copy version (with STAC/CLAC and all) of this interface despite it not actually being a user copy at all.

AnalysisAI

Misuse of the __copy_user_nocache() function in the Linux kernel's x86-64 subsystem - specifically within NTB driver code and several other drivers - causes STAC/CLAC (SMAP-disabling) instructions to execute during kernel-to-kernel memory copies where no user-space access is actually performed. This incorrect usage defeats the Supervisor Mode Access Prevention (SMAP) protection temporarily and, critically, attaches user-space exception handling semantics to pure kernel copies; if a machine check exception or memory fault occurs during this window, the kernel may not handle it gracefully, resulting in a kernel panic. The CVSS availability-high rating (A:H) reflects this crash potential for any local authenticated user able to trigger the affected driver paths. No public exploit has been identified at time of analysis, and EPSS probability is negligible at 0.02%.

Technical ContextAI

The affected function __copy_user_nocache() (now renamed to clarify its true semantics) is an x86-64 assembly-level memory copy routine that uses non-temporal stores (MOVNTI/MOVNTQ) for the destination operand to ensure writes bypass CPU caches - a feature originally designed for writing to persistent/fragile memory targets such as NVDIMM or NTB-mapped regions to enable synchronous machine check exception (MCE) handling. The function also wraps execution with STAC (Set AC Flag) and CLAC (Clear AC Flag) instructions, which temporarily disable SMAP to allow supervisor-mode access to user-space pages. The root vulnerability (no formal CWE assigned by NVD) is a class of improper privilege-context function use: the NTB driver and other callers invoked this function for kernel-to-kernel copies, unnecessarily disabling SMAP and attaching user-space fault handlers to kernel memory operations. The CPE data (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) confirms the entire upstream Linux kernel tree is affected back to initial commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2. The Google Project Zero tracker reference (issues.chromium.org/issues/496923375) suggests external security researcher involvement in identifying this misuse pattern.

RemediationAI

The primary fix is upgrading to patched Linux kernel versions: 6.12.83, 6.18.24, 6.19.14, 7.0.1, or 7.1-rc1, containing the upstream commits referenced at https://git.kernel.org/stable/c/d993e1723aa2a085aa0d72e70ea889031fc225b4 (7.0.x), https://git.kernel.org/stable/c/efea91ad1729ff1853d7418e4d3bc27d085e72d0 (7.1-rc1), https://git.kernel.org/stable/c/d187a86de793f84766ea40b9ade7ac60aabbb4fe (6.18.x), https://git.kernel.org/stable/c/14b9194db4a28421a4dbe5d6e519efbaa7c5f3cd (6.19.x), and https://git.kernel.org/stable/c/c6d4e0599e7e73abc04e2488dfeb7940c4039660 (6.12.x). For systems where patching is not immediately possible, administrators should assess whether the NTB (Non-Transparent Bridge) driver is loaded (lsmod | grep ntb) and, if not required, blacklist it via /etc/modprobe.d/ using 'blacklist ntb' - this removes the primary identified misuse vector at the cost of disabling NTB hardware functionality. This workaround is not applicable to other drivers that may also call the affected function. Distribution maintainers (RHEL, Ubuntu, SUSE, Debian) should be consulted for backported patches to LTS kernels outside these upstream stable series.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed

Share

EUVD-2026-27378 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy