CVE-2026-43174
Description
In the Linux kernel, the following vulnerability has been resolved:
io_uring/zcrx: fix post open error handling
Closing a queue doesn't guarantee that all associated page pools are terminated right away, let the refcounting do the work instead of releasing the zcrx ctx directly.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, io_uring/zcrx had a use-after-free due to premature context release; fix defers cleanup to refcounting.
Vulnerability
The io_uring subsystem in the Linux kernel contained a use-after-free vulnerability in its zero-copy receive (zcrx) component. The error handling path after opening a zcrx context would release the context directly, but closing the associated queue does not guarantee immediate termination of all page pools. This could lead to a dangling pointer reference.
Exploitation
An attacker with the ability to create io_uring instances and trigger error conditions in zcrx setup could potentially exploit this race condition. The prerequisite is the ability to open and close io_uring queues with zero-copy receive enabled, which typically requires local access or limited privileges.
Impact
Successful exploitation could result in a use-after-free, potentially leading to privilege escalation or denial of service. The CVSS score of 5.5 (Medium) reflects the requirement for local access and the limited scope of impact.
Mitigation
The fix is included in the Linux kernel stable tree as commits [1] and [2]. Users are advised to update to the latest stable kernel version that includes these patches.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.