CVE-2026-43224

Summary

In the Linux kernel, the following vulnerability has been resolved:

io_uring/zcrx: fix sgtable leak on mapping failures

In an unlikely case when io_populate_area_dma() fails, which could only happen on a PAGE_POOL_32BIT_ARCH_WITH_64BIT_DMA machine, io_zcrx_map_area() will have an initialised and not freed table. It was supposed to be cleaned up in the error path, but !is_mapped prevents that.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux439a98b972fbb1991819b5367f482cd4161ba39c < f1ae403324311e143ef20e53cf9a5f01e312f7c9affected
LinuxLinux439a98b972fbb1991819b5367f482cd4161ba39c < ef075c1464ac9047e2cf7d23cb020bfd0b8e4b60affected
LinuxLinux439a98b972fbb1991819b5367f482cd4161ba39c < a983aae397767e9da931128ff2b5bf9066513ce3affected
LinuxLinux6.18affected
LinuxLinux0 < 6.18unaffected
LinuxLinux6.18.16 <= 6.18.*unaffected
LinuxLinux6.19.6 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References