Security Vulnerability Report
中文
CVE-2026-43174 CVSS 5.5 MEDIUM

CVE-2026-43174

Published: 2026-05-06 12:16:36
Last Modified: 2026-05-12 20:01:35
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix post open error handling Closing a queue doesn't guarantee that all associated page pools are terminated right away, let the refcounting do the work instead of releasing the zcrx ctx directly.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel (修复前版本)
Linux Kernel (提交 18afaff077b46655a8eb6fd7f6de1b81327be577 之前)
Linux Kernel (提交 5d540e4508950c674d6feef1d95463d039bbf4f5 之前)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#include <liburing.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> /* * Conceptual Proof of Concept for CVE-2026-43174 * This code attempts to trigger the zcrx post-open error handling path. * Note: Actual exploitation requires a vulnerable kernel version. */ int main() { struct io_uring ring; int ret; // Initialize io_uring instance ret = io_uring_queue_init(32, &ring, 0); if (ret < 0) { perror("io_uring_queue_init"); return 1; } printf("io_uring initialized. Attempting to trigger zcrx error path...\n"); // In a real scenario, specific io_uring registration ops (IORING_REGISTER_ZCRX) // would be called here to setup the queue and subsequently trigger // the error condition that leads to the faulty context release. // This requires hardware support or emulation for zcrx. // Cleanup io_uring_queue_exit(&ring); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43174", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:35.850", "lastModified": "2026-05-12T20:01:34.590", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/zcrx: fix post open error handling\n\nClosing a queue doesn't guarantee that all associated page pools are\nterminated right away, let the refcounting do the work instead of\nreleasing the zcrx ctx directly."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.19.6", "matchCriteriaId": "FB4420D6-E715-4ED2-B6AE-089134FC74C9"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/18afaff077b46655a8eb6fd7f6de1b81327be577", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5d540e4508950c674d6feef1d95463d039bbf4f5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.