CVE-2026-43073 (GCVE-0-2026-43073)

Vulnerability from cvelistv5 – Published: 2026-05-05 15:29 – Updated: 2026-05-05 15:29
VLAI?
Title
x86-64: rename misleadingly named '__copy_user_nocache()' function
Summary
In the Linux kernel, the following vulnerability has been resolved: x86-64: rename misleadingly named '__copy_user_nocache()' function This function was a masterclass in bad naming, for various historical reasons. It claimed to be a non-cached user copy. It is literally _neither_ of those things. It's a specialty memory copy routine that uses non-temporal stores for the destination (but not the source), and that does exception handling for both source and destination accesses. Also note that while it works for unaligned targets, any unaligned parts (whether at beginning or end) will not use non-temporal stores, since only words and quadwords can be non-temporal on x86. The exception handling means that it _can_ be used for user space accesses, but not on its own - it needs all the normal "start user space access" logic around it. But typically the user space access would be the source, not the non-temporal destination. That was the original intention of this, where the destination was some fragile persistent memory target that needed non-temporal stores in order to catch machine check exceptions synchronously and deal with them gracefully. Thus that non-descriptive name: one use case was to copy from user space into a non-cached kernel buffer. However, the existing users are a mix of that intended use-case, and a couple of random drivers that just did this as a performance tweak. Some of those random drivers then actively misused the user copying version (with STAC/CLAC and all) to do kernel copies without ever even caring about the exception handling, _just_ for the non-temporal destination. Rename it as a first small step to actually make it halfway sane, and change the prototype to be more normal: it doesn't take a user pointer unless the caller has done the proper conversion, and the argument size is the full size_t (it still won't actually copy more than 4GB in one go, but there's also no reason to silently truncate the size argument in the caller). Finally, use this now sanely named function in the NTB code, which mis-used a user copy version (with STAC/CLAC and all) of this interface despite it not actually being a user copy at all.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 14b9194db4a28421a4dbe5d6e519efbaa7c5f3cd (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c6d4e0599e7e73abc04e2488dfeb7940c4039660 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d993e1723aa2a085aa0d72e70ea889031fc225b4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < efea91ad1729ff1853d7418e4d3bc27d085e72d0 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d187a86de793f84766ea40b9ade7ac60aabbb4fe (git)
Create a notification for this product.
    Linux Linux Unaffected: 6.12.83 , ≤ 6.12.* (semver)
Unaffected: 6.18.24 , ≤ 6.18.* (semver)
Unaffected: 6.19.14 , ≤ 6.19.* (semver)
Unaffected: 7.0.1 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/include/asm/uaccess_64.h",
            "arch/x86/lib/copy_user_uncached_64.S",
            "arch/x86/lib/usercopy_64.c",
            "drivers/infiniband/sw/rdmavt/qp.c",
            "drivers/ntb/ntb_transport.c",
            "tools/objtool/check.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "14b9194db4a28421a4dbe5d6e519efbaa7c5f3cd",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c6d4e0599e7e73abc04e2488dfeb7940c4039660",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d993e1723aa2a085aa0d72e70ea889031fc225b4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "efea91ad1729ff1853d7418e4d3bc27d085e72d0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d187a86de793f84766ea40b9ade7ac60aabbb4fe",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/include/asm/uaccess_64.h",
            "arch/x86/lib/copy_user_uncached_64.S",
            "arch/x86/lib/usercopy_64.c",
            "drivers/infiniband/sw/rdmavt/qp.c",
            "drivers/ntb/ntb_transport.c",
            "tools/objtool/check.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.83",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86-64: rename misleadingly named \u0027__copy_user_nocache()\u0027 function\n\nThis function was a masterclass in bad naming, for various historical\nreasons.\n\nIt claimed to be a non-cached user copy.  It is literally _neither_ of\nthose things.  It\u0027s a specialty memory copy routine that uses\nnon-temporal stores for the destination (but not the source), and that\ndoes exception handling for both source and destination accesses.\n\nAlso note that while it works for unaligned targets, any unaligned parts\n(whether at beginning or end) will not use non-temporal stores, since\nonly words and quadwords can be non-temporal on x86.\n\nThe exception handling means that it _can_ be used for user space\naccesses, but not on its own - it needs all the normal \"start user space\naccess\" logic around it.\n\nBut typically the user space access would be the source, not the\nnon-temporal destination.  That was the original intention of this,\nwhere the destination was some fragile persistent memory target that\nneeded non-temporal stores in order to catch machine check exceptions\nsynchronously and deal with them gracefully.\n\nThus that non-descriptive name: one use case was to copy from user space\ninto a non-cached kernel buffer.  However, the existing users are a mix\nof that intended use-case, and a couple of random drivers that just did\nthis as a performance tweak.\n\nSome of those random drivers then actively misused the user copying\nversion (with STAC/CLAC and all) to do kernel copies without ever even\ncaring about the exception handling, _just_ for the non-temporal\ndestination.\n\nRename it as a first small step to actually make it halfway sane, and\nchange the prototype to be more normal: it doesn\u0027t take a user pointer\nunless the caller has done the proper conversion, and the argument size\nis the full size_t (it still won\u0027t actually copy more than 4GB in one\ngo, but there\u0027s also no reason to silently truncate the size argument in\nthe caller).\n\nFinally, use this now sanely named function in the NTB code, which\nmis-used a user copy version (with STAC/CLAC and all) of this interface\ndespite it not actually being a user copy at all."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-05T15:29:29.510Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/14b9194db4a28421a4dbe5d6e519efbaa7c5f3cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/c6d4e0599e7e73abc04e2488dfeb7940c4039660"
        },
        {
          "url": "https://git.kernel.org/stable/c/d993e1723aa2a085aa0d72e70ea889031fc225b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/efea91ad1729ff1853d7418e4d3bc27d085e72d0"
        },
        {
          "url": "https://git.kernel.org/stable/c/d187a86de793f84766ea40b9ade7ac60aabbb4fe"
        }
      ],
      "title": "x86-64: rename misleadingly named \u0027__copy_user_nocache()\u0027 function",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43073",
    "datePublished": "2026-05-05T15:29:29.510Z",
    "dateReserved": "2026-05-01T14:12:55.982Z",
    "dateUpdated": "2026-05-05T15:29:29.510Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43073",
      "date": "2026-05-06",
      "epss": "0.00018",
      "percentile": "0.04837"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43073\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-05T16:16:16.650\",\"lastModified\":\"2026-05-06T13:08:07.970\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86-64: rename misleadingly named \u0027__copy_user_nocache()\u0027 function\\n\\nThis function was a masterclass in bad naming, for various historical\\nreasons.\\n\\nIt claimed to be a non-cached user copy.  It is literally _neither_ of\\nthose things.  It\u0027s a specialty memory copy routine that uses\\nnon-temporal stores for the destination (but not the source), and that\\ndoes exception handling for both source and destination accesses.\\n\\nAlso note that while it works for unaligned targets, any unaligned parts\\n(whether at beginning or end) will not use non-temporal stores, since\\nonly words and quadwords can be non-temporal on x86.\\n\\nThe exception handling means that it _can_ be used for user space\\naccesses, but not on its own - it needs all the normal \\\"start user space\\naccess\\\" logic around it.\\n\\nBut typically the user space access would be the source, not the\\nnon-temporal destination.  That was the original intention of this,\\nwhere the destination was some fragile persistent memory target that\\nneeded non-temporal stores in order to catch machine check exceptions\\nsynchronously and deal with them gracefully.\\n\\nThus that non-descriptive name: one use case was to copy from user space\\ninto a non-cached kernel buffer.  However, the existing users are a mix\\nof that intended use-case, and a couple of random drivers that just did\\nthis as a performance tweak.\\n\\nSome of those random drivers then actively misused the user copying\\nversion (with STAC/CLAC and all) to do kernel copies without ever even\\ncaring about the exception handling, _just_ for the non-temporal\\ndestination.\\n\\nRename it as a first small step to actually make it halfway sane, and\\nchange the prototype to be more normal: it doesn\u0027t take a user pointer\\nunless the caller has done the proper conversion, and the argument size\\nis the full size_t (it still won\u0027t actually copy more than 4GB in one\\ngo, but there\u0027s also no reason to silently truncate the size argument in\\nthe caller).\\n\\nFinally, use this now sanely named function in the NTB code, which\\nmis-used a user copy version (with STAC/CLAC and all) of this interface\\ndespite it not actually being a user copy at all.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/14b9194db4a28421a4dbe5d6e519efbaa7c5f3cd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c6d4e0599e7e73abc04e2488dfeb7940c4039660\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d187a86de793f84766ea40b9ade7ac60aabbb4fe\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d993e1723aa2a085aa0d72e70ea889031fc225b4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/efea91ad1729ff1853d7418e4d3bc27d085e72d0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.