{"api_version":"1","generated_at":"2026-05-10T15:11:46+00:00","cve":"CVE-2026-43073","urls":{"html":"https://cve.report/CVE-2026-43073","api":"https://cve.report/api/cve/CVE-2026-43073.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43073","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43073"},"summary":{"title":"x86-64: rename misleadingly named '__copy_user_nocache()' function","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86-64: rename misleadingly named '__copy_user_nocache()' function\n\nThis function was a masterclass in bad naming, for various historical\nreasons.\n\nIt claimed to be a non-cached user copy.  It is literally _neither_ of\nthose things.  It's a specialty memory copy routine that uses\nnon-temporal stores for the destination (but not the source), and that\ndoes exception handling for both source and destination accesses.\n\nAlso note that while it works for unaligned targets, any unaligned parts\n(whether at beginning or end) will not use non-temporal stores, since\nonly words and quadwords can be non-temporal on x86.\n\nThe exception handling means that it _can_ be used for user space\naccesses, but not on its own - it needs all the normal \"start user space\naccess\" logic around it.\n\nBut typically the user space access would be the source, not the\nnon-temporal destination.  That was the original intention of this,\nwhere the destination was some fragile persistent memory target that\nneeded non-temporal stores in order to catch machine check exceptions\nsynchronously and deal with them gracefully.\n\nThus that non-descriptive name: one use case was to copy from user space\ninto a non-cached kernel buffer.  However, the existing users are a mix\nof that intended use-case, and a couple of random drivers that just did\nthis as a performance tweak.\n\nSome of those random drivers then actively misused the user copying\nversion (with STAC/CLAC and all) to do kernel copies without ever even\ncaring about the exception handling, _just_ for the non-temporal\ndestination.\n\nRename it as a first small step to actually make it halfway sane, and\nchange the prototype to be more normal: it doesn't take a user pointer\nunless the caller has done the proper conversion, and the argument size\nis the full size_t (it still won't actually copy more than 4GB in one\ngo, but there's also no reason to silently truncate the size argument in\nthe caller).\n\nFinally, use this now sanely named function in the NTB code, which\nmis-used a user copy version (with STAC/CLAC and all) of this interface\ndespite it not actually being a user copy at all.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-05 16:16:16","updated_at":"2026-05-06 13:08:07"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/efea91ad1729ff1853d7418e4d3bc27d085e72d0","name":"https://git.kernel.org/stable/c/efea91ad1729ff1853d7418e4d3bc27d085e72d0","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c6d4e0599e7e73abc04e2488dfeb7940c4039660","name":"https://git.kernel.org/stable/c/c6d4e0599e7e73abc04e2488dfeb7940c4039660","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d187a86de793f84766ea40b9ade7ac60aabbb4fe","name":"https://git.kernel.org/stable/c/d187a86de793f84766ea40b9ade7ac60aabbb4fe","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d993e1723aa2a085aa0d72e70ea889031fc225b4","name":"https://git.kernel.org/stable/c/d993e1723aa2a085aa0d72e70ea889031fc225b4","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/14b9194db4a28421a4dbe5d6e519efbaa7c5f3cd","name":"https://git.kernel.org/stable/c/14b9194db4a28421a4dbe5d6e519efbaa7c5f3cd","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43073","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43073","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 14b9194db4a28421a4dbe5d6e519efbaa7c5f3cd git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 c6d4e0599e7e73abc04e2488dfeb7940c4039660 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 d993e1723aa2a085aa0d72e70ea889031fc225b4 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 efea91ad1729ff1853d7418e4d3bc27d085e72d0 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 d187a86de793f84766ea40b9ade7ac60aabbb4fe git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.83 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.24 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.14 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.1 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1-rc1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["arch/x86/include/asm/uaccess_64.h","arch/x86/lib/copy_user_uncached_64.S","arch/x86/lib/usercopy_64.c","drivers/infiniband/sw/rdmavt/qp.c","drivers/ntb/ntb_transport.c","tools/objtool/check.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"14b9194db4a28421a4dbe5d6e519efbaa7c5f3cd","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"c6d4e0599e7e73abc04e2488dfeb7940c4039660","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"d993e1723aa2a085aa0d72e70ea889031fc225b4","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"efea91ad1729ff1853d7418e4d3bc27d085e72d0","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"d187a86de793f84766ea40b9ade7ac60aabbb4fe","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["arch/x86/include/asm/uaccess_64.h","arch/x86/lib/copy_user_uncached_64.S","arch/x86/lib/usercopy_64.c","drivers/infiniband/sw/rdmavt/qp.c","drivers/ntb/ntb_transport.c","tools/objtool/check.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.83","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.24","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.14","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.1","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1-rc1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.83","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.24","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.1","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1-rc1","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86-64: rename misleadingly named '__copy_user_nocache()' function\n\nThis function was a masterclass in bad naming, for various historical\nreasons.\n\nIt claimed to be a non-cached user copy.  It is literally _neither_ of\nthose things.  It's a specialty memory copy routine that uses\nnon-temporal stores for the destination (but not the source), and that\ndoes exception handling for both source and destination accesses.\n\nAlso note that while it works for unaligned targets, any unaligned parts\n(whether at beginning or end) will not use non-temporal stores, since\nonly words and quadwords can be non-temporal on x86.\n\nThe exception handling means that it _can_ be used for user space\naccesses, but not on its own - it needs all the normal \"start user space\naccess\" logic around it.\n\nBut typically the user space access would be the source, not the\nnon-temporal destination.  That was the original intention of this,\nwhere the destination was some fragile persistent memory target that\nneeded non-temporal stores in order to catch machine check exceptions\nsynchronously and deal with them gracefully.\n\nThus that non-descriptive name: one use case was to copy from user space\ninto a non-cached kernel buffer.  However, the existing users are a mix\nof that intended use-case, and a couple of random drivers that just did\nthis as a performance tweak.\n\nSome of those random drivers then actively misused the user copying\nversion (with STAC/CLAC and all) to do kernel copies without ever even\ncaring about the exception handling, _just_ for the non-temporal\ndestination.\n\nRename it as a first small step to actually make it halfway sane, and\nchange the prototype to be more normal: it doesn't take a user pointer\nunless the caller has done the proper conversion, and the argument size\nis the full size_t (it still won't actually copy more than 4GB in one\ngo, but there's also no reason to silently truncate the size argument in\nthe caller).\n\nFinally, use this now sanely named function in the NTB code, which\nmis-used a user copy version (with STAC/CLAC and all) of this interface\ndespite it not actually being a user copy at all."}],"providerMetadata":{"dateUpdated":"2026-05-05T15:29:29.510Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/14b9194db4a28421a4dbe5d6e519efbaa7c5f3cd"},{"url":"https://git.kernel.org/stable/c/c6d4e0599e7e73abc04e2488dfeb7940c4039660"},{"url":"https://git.kernel.org/stable/c/d993e1723aa2a085aa0d72e70ea889031fc225b4"},{"url":"https://git.kernel.org/stable/c/efea91ad1729ff1853d7418e4d3bc27d085e72d0"},{"url":"https://git.kernel.org/stable/c/d187a86de793f84766ea40b9ade7ac60aabbb4fe"}],"title":"x86-64: rename misleadingly named '__copy_user_nocache()' function","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43073","datePublished":"2026-05-05T15:29:29.510Z","dateReserved":"2026-05-01T14:12:55.982Z","dateUpdated":"2026-05-05T15:29:29.510Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-05 16:16:16","lastModifiedDate":"2026-05-06 13:08:07","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43073","Ordinal":"1","Title":"x86-64: rename misleadingly named '__copy_user_nocache()' functi","CVE":"CVE-2026-43073","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43073","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86-64: rename misleadingly named '__copy_user_nocache()' function\n\nThis function was a masterclass in bad naming, for various historical\nreasons.\n\nIt claimed to be a non-cached user copy.  It is literally _neither_ of\nthose things.  It's a specialty memory copy routine that uses\nnon-temporal stores for the destination (but not the source), and that\ndoes exception handling for both source and destination accesses.\n\nAlso note that while it works for unaligned targets, any unaligned parts\n(whether at beginning or end) will not use non-temporal stores, since\nonly words and quadwords can be non-temporal on x86.\n\nThe exception handling means that it _can_ be used for user space\naccesses, but not on its own - it needs all the normal \"start user space\naccess\" logic around it.\n\nBut typically the user space access would be the source, not the\nnon-temporal destination.  That was the original intention of this,\nwhere the destination was some fragile persistent memory target that\nneeded non-temporal stores in order to catch machine check exceptions\nsynchronously and deal with them gracefully.\n\nThus that non-descriptive name: one use case was to copy from user space\ninto a non-cached kernel buffer.  However, the existing users are a mix\nof that intended use-case, and a couple of random drivers that just did\nthis as a performance tweak.\n\nSome of those random drivers then actively misused the user copying\nversion (with STAC/CLAC and all) to do kernel copies without ever even\ncaring about the exception handling, _just_ for the non-temporal\ndestination.\n\nRename it as a first small step to actually make it halfway sane, and\nchange the prototype to be more normal: it doesn't take a user pointer\nunless the caller has done the proper conversion, and the argument size\nis the full size_t (it still won't actually copy more than 4GB in one\ngo, but there's also no reason to silently truncate the size argument in\nthe caller).\n\nFinally, use this now sanely named function in the NTB code, which\nmis-used a user copy version (with STAC/CLAC and all) of this interface\ndespite it not actually being a user copy at all.","Type":"Description","Title":"x86-64: rename misleadingly named '__copy_user_nocache()' functi"}]}}}