CVE-2026-43224 PUBLISHED

io_uring/zcrx: fix sgtable leak on mapping failures

Assigner: Linux
Reserved: 01.05.2026 Published: 06.05.2026 Updated: 06.05.2026

In the Linux kernel, the following vulnerability has been resolved:

io_uring/zcrx: fix sgtable leak on mapping failures

In an unlikely case when io_populate_area_dma() fails, which could only happen on a PAGE_POOL_32BIT_ARCH_WITH_64BIT_DMA machine, io_zcrx_map_area() will have an initialised and not freed table. It was supposed to be cleaned up in the error path, but !is_mapped prevents that.

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from 439a98b972fbb1991819b5367f482cd4161ba39c to f1ae403324311e143ef20e53cf9a5f01e312f7c9 (excl.) affected from 439a98b972fbb1991819b5367f482cd4161ba39c to ef075c1464ac9047e2cf7d23cb020bfd0b8e4b60 (excl.) affected from 439a98b972fbb1991819b5367f482cd4161ba39c to a983aae397767e9da931128ff2b5bf9066513ce3 (excl.)

Vendor	Linux
Product	Linux
Versions	Default: affected Version 6.18 is affected unaffected from 0 to 6.18 (excl.) unaffected from 6.18.16 to 6.18.* (incl.) unaffected from 6.19.6 to 6.19.* (incl.) unaffected from 7.0 to * (incl.)

CVE-2026-43224 PUBLISHED

io_uring/zcrx: fix sgtable leak on mapping failures

Product Status

References