{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "34a3e60821ab9f335a58d43a88cccdbefdebdec3"
            },
            {
              "fixed": "a94f096e28bfc7975163a6b80f1c8f323efe317a"
            },
            {
              "fixed": "485dc691257b96e6d3bdc25b0eff2daadcc5c46c"
            },
            {
              "fixed": "003049b1c4fb8aabb93febb7d1e49004f6ad653b"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.15.0"
            },
            {
              "fixed": "6.18.16"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43121.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/zcrx: fix user_ref race between scrub and refill paths\n\nThe io_zcrx_put_niov_uref() function uses a non-atomic\ncheck-then-decrement pattern (atomic_read followed by separate\natomic_dec) to manipulate user_refs. This is serialized against other\ncallers by rq_lock, but io_zcrx_scrub() modifies the same counter with\natomic_xchg() WITHOUT holding rq_lock.\n\nOn SMP systems, the following race exists:\n\n  CPU0 (refill, holds rq_lock)          CPU1 (scrub, no rq_lock)\n  put_niov_uref:\n    atomic_read(uref) - 1\n    // window opens\n                                        atomic_xchg(uref, 0) - 1\n                                        return_niov_freelist(niov) [PUSH #1]\n    // window closes\n    atomic_dec(uref) - wraps to -1\n    returns true\n    return_niov(niov)\n    return_niov_freelist(niov)           [PUSH #2: DOUBLE-FREE]\n\nThe same niov is pushed to the freelist twice, causing free_count to\nexceed nr_iovs. Subsequent freelist pushes then perform an out-of-bounds\nwrite (a u32 value) past the kvmalloc'd freelist array into the adjacent\nslab object.\n\nFix this by replacing the non-atomic read-then-dec in\nio_zcrx_put_niov_uref() with an atomic_try_cmpxchg loop that atomically\ntests and decrements user_refs. This makes the operation safe against\nconcurrent atomic_xchg from scrub without requiring scrub to acquire\nrq_lock.\n\n[pavel: removed a warning and a comment]",
  "id": "CVE-2026-43121",
  "modified": "2026-07-15T01:49:04.384432272Z",
  "published": "2026-05-06T11:27:08.216Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/003049b1c4fb8aabb93febb7d1e49004f6ad653b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/485dc691257b96e6d3bdc25b0eff2daadcc5c46c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a94f096e28bfc7975163a6b80f1c8f323efe317a"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43121.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43121"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.8.0",
  "summary": "io_uring/zcrx: fix user_ref race between scrub and refill paths"
}