CVE-2026-43073
Description
In the Linux kernel, the following vulnerability has been resolved:
x86-64: rename misleadingly named '__copy_user_nocache()' function
This function was a masterclass in bad naming, for various historical reasons.
It claimed to be a non-cached user copy. It is literally _neither_ of those things. It's a specialty memory copy routine that uses non-temporal stores for the destination (but not the source), and that does exception handling for both source and destination accesses.
Also note that while it works for unaligned targets, any unaligned parts (whether at beginning or end) will not use non-temporal stores, since only words and quadwords can be non-temporal on x86.
The exception handling means that it _can_ be used for user space accesses, but not on its own - it needs all the normal "start user space access" logic around it.
But typically the user space access would be the source, not the non-temporal destination. That was the original intention of this, where the destination was some fragile persistent memory target that needed non-temporal stores in order to catch machine check exceptions synchronously and deal with them gracefully.
Thus that non-descriptive name: one use case was to copy from user space into a non-cached kernel buffer. However, the existing users are a mix of that intended use-case, and a couple of random drivers that just did this as a performance tweak.
Some of those random drivers then actively misused the user copying version (with STAC/CLAC and all) to do kernel copies without ever even caring about the exception handling, _just_ for the non-temporal destination.
Rename it as a first small step to actually make it halfway sane, and change the prototype to be more normal: it doesn't take a user pointer unless the caller has done the proper conversion, and the argument size is the full size_t (it still won't actually copy more than 4GB in one go, but there's also no reason to silently truncate the size argument in the caller).
Finally, use this now sanely named function in the NTB code, which mis-used a user copy version (with STAC/CLAC and all) of this interface despite it not actually being a user copy at all.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel renames the misleading '__copy_user_nocache()' function to clarify it is not a non-cached user copy, improving code clarity and safety.
The Linux kernel's __copy_user_nocache() function has been renamed to address its misleading name. Historically, the function was neither a non-cached copy nor strictly a user copy; it is a specialized memory copy routine using non-temporal stores for the destination, with exception handling for both source and destination accesses. The rename is a first step toward making the function's purpose and usage clearer.
Despite its name, the function does not inherently operate on user space pointers. It can be used for user space accesses only when surrounded by proper user access logic (e.g., STAC/CLAC). The original intended use case was copying from user space into a non-cached kernel buffer, such as persistent memory. However, some drivers misused it for kernel-to-kernel copies solely for the non-temporal store performance benefit, bypassing the user access mechanisms.
The patch renames the function and adjusts its prototype to take a normal kernel pointer and a full size_t argument, eliminating silent truncation of sizes over 4GB. This change makes the interface more conventional and reduces the risk of misuse [1].
Mitigation is available by applying the kernel stable commit that implements the rename. Users should update to a kernel version containing this fix to benefit from improved clarity and safer usage of the underlying functionality.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/14b9194db4a28421a4dbe5d6e519efbaa7c5f3cdnvd
- git.kernel.org/stable/c/c6d4e0599e7e73abc04e2488dfeb7940c4039660nvd
- git.kernel.org/stable/c/d187a86de793f84766ea40b9ade7ac60aabbb4fenvd
- git.kernel.org/stable/c/d993e1723aa2a085aa0d72e70ea889031fc225b4nvd
- git.kernel.org/stable/c/efea91ad1729ff1853d7418e4d3bc27d085e72d0nvd
News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026