CVE-2026-43174 Overview
CVE-2026-43174 is a Linux kernel vulnerability in the io_uring/zcrx (zero-copy receive) subsystem. The flaw affects post-open error handling in the zero-copy receive context. Closing a queue does not guarantee that all associated page pools are terminated immediately. The original code released the zcrx context directly, bypassing the established refcounting mechanism. The fix lets refcounting manage the lifecycle of the context instead of releasing it directly.
Critical Impact
Improper lifecycle management of zcrx contexts during error paths can lead to use-after-free conditions or memory corruption when page pools outlive the parent context.
Affected Products
- Linux Kernel — versions containing the io_uring/zcrx zero-copy receive subsystem
- Distributions shipping affected mainline kernel versions prior to the upstream fix
- Stable kernel branches awaiting backport of the referenced commits
Discovery Timeline
- 2026-05-06 - CVE-2026-43174 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43174
Vulnerability Analysis
The vulnerability resides in the io_uring zero-copy receive (zcrx) implementation within the Linux kernel. io_uring is a high-performance asynchronous I/O interface, and zcrx provides zero-copy receive paths that map network buffers directly into userspace via page pools.
The defect involves object lifetime management during post-open error handling. When a receive queue is closed, the page pools associated with that queue are not guaranteed to terminate synchronously. Page pools may still hold references to buffers and metadata stored in the zcrx context. Releasing the zcrx context directly — without waiting for all dependent page pools to drop their references — creates a window where stale references to freed memory can be dereferenced.
Root Cause
The root cause is improper object lifecycle management in the error path. The original code performed direct release of the zcrx context rather than allowing the kernel's reference counting mechanism to coordinate teardown. This violates the invariant that an object must outlive all of its referrers.
Attack Vector
Exploitation requires local access with the ability to invoke io_uring system calls and configure zero-copy receive queues. An attacker triggers the post-open error path to force premature release of the zcrx context while page pools still hold references. The full impact, attack complexity, and required privileges have not been scored in the NVD entry. CWE classification is not assigned at the time of publication.
No verified exploit code is publicly available. The vulnerability is described in the upstream kernel commits referenced by the Kernel Git Commit and the follow-up Kernel Git Commit.
Detection Methods for CVE-2026-43174
Indicators of Compromise
- Kernel oops or panic messages referencing io_uring, zcrx, or page_pool in dmesg or /var/log/kern.log
- Unexpected process termination of workloads that use io_uring zero-copy receive
- KASAN (Kernel Address Sanitizer) reports flagging use-after-free in zero-copy receive code paths
Detection Strategies
- Audit running kernel versions across the fleet and compare against the upstream commit hashes 18afaff077b4 and 5d540e450895
- Enable kernel runtime checks such as KASAN on test systems to surface lifecycle issues in io_uring/zcrx
- Monitor auditd for processes invoking io_uring_setup and zero-copy receive registration calls from unprivileged users
Monitoring Recommendations
- Centralize kernel logs and alert on crashes referencing io_uring or zcrx symbols
- Track package inventory for kernel updates and validate that affected hosts receive the patched build
- Correlate workload telemetry with kernel events to detect anomalous teardown behavior of zero-copy receive queues
How to Mitigate CVE-2026-43174
Immediate Actions Required
- Apply the upstream kernel patches referenced in the kernel.org commits and rebuild or update affected kernels
- Restrict access to io_uring for untrusted users via kernel.io_uring_disabled sysctl where the workload permits
- Inventory systems running kernel versions that include io_uring/zcrx and prioritize patching of multi-tenant hosts
Patch Information
The upstream fix replaces direct release of the zcrx context with refcount-driven teardown. Reference the patch at kernel.org commit 18afaff077b4 and the related change at kernel.org commit 5d540e450895. Distribution maintainers will backport these commits to supported stable branches.
Workarounds
- Disable io_uring system-wide using sysctl -w kernel.io_uring_disabled=2 if no workloads require it
- Avoid granting unprivileged users the ability to create io_uring instances on shared hosts
- Refrain from enabling zero-copy receive features in production until the patched kernel is deployed
# Configuration example
# Disable io_uring for unprivileged users until the kernel is patched
sysctl -w kernel.io_uring_disabled=2
# Persist the setting across reboots
echo 'kernel.io_uring_disabled = 2' | sudo tee /etc/sysctl.d/99-io_uring.conf
# Verify current kernel version against patched commits
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
