CVE-2026-43045

Vulnerability

In the Linux kernel, the function mshv_region_pin_user_pages_fast() (or its caller mshv_region_pin) contains two error handling flaws. First, pin_user_pages_fast() can return a short pin count — a positive number less than requested — when it cannot pin all pages. The code incorrectly treats this as success, allowing partially pinned regions to be used, which can lead to memory corruption [1]. Second, when an error occurs mid-loop (e.g., an invalid or faulting page in a batch), the already-pinned pages from the current batch are not accounted for before the cleanup function mshv_region_invalidate_pages() is called, causing a page reference leak [2].

Exploitation

An attacker with local access and the ability to interact with the Microsoft Hyper-V (mshv) driver's memory pinning functionality could trigger the bug. No special privileges beyond those needed to invoke the affected ioctl or system call are required. The attack does not require authentication over a network; it is exploitable locally. By providing a mixture of valid and invalid pages in a pin request, the attacker can cause pin_user_pages_fast() to return a short count, leading to the corruption.

Impact

Successful exploitation can result in memory corruption (write to partially pinned memory) and/or a page reference leak, which over time can exhaust system memory. These issues can cause system instability, denial of service, or potentially escalate privileges, depending on the kernel memory layout and other protections.

Mitigation

The fix has been committed to the Linux kernel stable tree as of early May 2026. Administrators should apply the patch (commit references [1][2]) or upgrade their kernel to a version containing versions. No workaround is available; a reboot is required to apply the fix. This vulnerability is not known to be on the CISA KEV list as of the publication date.