{"api_version":"1","generated_at":"2026-06-25T11:33:18+00:00","cve":"CVE-2026-53199","urls":{"html":"https://cve.report/CVE-2026-53199","api":"https://cve.report/api/cve/CVE-2026-53199.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53199","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53199"},"summary":{"title":"hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf\n\nnetvsc_copy_to_send_buf() copies page buffer entries into the VMBus\nsend buffer using phys_to_virt() on the entry PFN. Entries for the\nRNDIS header and the skb linear data come from kmalloc'd memory and\nare always in the kernel direct map, but entries for skb fragments\nreference page cache or user pages, which on 32-bit x86 with\nCONFIG_HIGHMEM=y can live above the LOWMEM boundary. For such a page\nphys_to_virt() returns an address outside the direct map and the\nsubsequent memcpy() faults on the transmit softirq path, which is\nfatal.\n\nMap the pages with kmap_local_page() instead, handling two properties\nof the page buffer entries:\n\n - pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity,\n   not a native PFN. Reconstruct the physical address first and derive\n   the native page from it, so the mapping stays correct where\n   PAGE_SIZE > HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages).\n\n - Since commit 41a6328b2c55 (\"hv_netvsc: Preserve contiguous PFN\n   grouping in the page buffer array\"), an entry describes a full\n   physically contiguous fragment and pb[i].len can exceed PAGE_SIZE,\n   while kmap_local_page() maps a single page. Copy page by page,\n   splitting at native page boundaries.\n\nThe copy path only handles packets smaller than the send section size\n(6144 bytes by default); larger packets take the cp_partial path where\nonly the RNDIS header is copied. So entries here are bounded by the\nsection size and a copy is split at most once on 4K-page systems. On\n!CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and\nno mapping work is added.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-25 09:16:37","updated_at":"2026-06-25 09:16:37"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/a82d4251918f37d9c5aab7b365157669fb885ec3","name":"https://git.kernel.org/stable/c/a82d4251918f37d9c5aab7b365157669fb885ec3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/695c59cf7bf707e6ff8cea01916ee50e86616933","name":"https://git.kernel.org/stable/c/695c59cf7bf707e6ff8cea01916ee50e86616933","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0b38870d81ab3a04c1ab0598d9d3285f5d9d0584","name":"https://git.kernel.org/stable/c/0b38870d81ab3a04c1ab0598d9d3285f5d9d0584","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/918c0c988239aa5ab96b254e504d191af6191061","name":"https://git.kernel.org/stable/c/918c0c988239aa5ab96b254e504d191af6191061","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/09b8a7aa5a341bb345dc492aac139525efa13515","name":"https://git.kernel.org/stable/c/09b8a7aa5a341bb345dc492aac139525efa13515","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/fe7221b4346418d27ec2daccfc09df6692b76f0b","name":"https://git.kernel.org/stable/c/fe7221b4346418d27ec2daccfc09df6692b76f0b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/16514afeb7d3d121072ba9a0b640d6c1c5507db0","name":"https://git.kernel.org/stable/c/16514afeb7d3d121072ba9a0b640d6c1c5507db0","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/004e9ecfe6c5384f9e0b2f6f6389d42ec22789af","name":"https://git.kernel.org/stable/c/004e9ecfe6c5384f9e0b2f6f6389d42ec22789af","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53199","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53199","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e 16514afeb7d3d121072ba9a0b640d6c1c5507db0 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e a82d4251918f37d9c5aab7b365157669fb885ec3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e 695c59cf7bf707e6ff8cea01916ee50e86616933 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e 09b8a7aa5a341bb345dc492aac139525efa13515 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e 918c0c988239aa5ab96b254e504d191af6191061 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e 0b38870d81ab3a04c1ab0598d9d3285f5d9d0584 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e fe7221b4346418d27ec2daccfc09df6692b76f0b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e 004e9ecfe6c5384f9e0b2f6f6389d42ec22789af git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3.16","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 3.16 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.259 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.210 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.176 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.143 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.94 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.36 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.13 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/net/hyperv/netvsc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"16514afeb7d3d121072ba9a0b640d6c1c5507db0","status":"affected","version":"c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e","versionType":"git"},{"lessThan":"a82d4251918f37d9c5aab7b365157669fb885ec3","status":"affected","version":"c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e","versionType":"git"},{"lessThan":"695c59cf7bf707e6ff8cea01916ee50e86616933","status":"affected","version":"c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e","versionType":"git"},{"lessThan":"09b8a7aa5a341bb345dc492aac139525efa13515","status":"affected","version":"c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e","versionType":"git"},{"lessThan":"918c0c988239aa5ab96b254e504d191af6191061","status":"affected","version":"c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e","versionType":"git"},{"lessThan":"0b38870d81ab3a04c1ab0598d9d3285f5d9d0584","status":"affected","version":"c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e","versionType":"git"},{"lessThan":"fe7221b4346418d27ec2daccfc09df6692b76f0b","status":"affected","version":"c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e","versionType":"git"},{"lessThan":"004e9ecfe6c5384f9e0b2f6f6389d42ec22789af","status":"affected","version":"c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/net/hyperv/netvsc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"3.16"},{"lessThan":"3.16","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.259","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.210","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.176","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.143","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.94","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.36","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.13","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.259","versionStartIncluding":"3.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.210","versionStartIncluding":"3.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.176","versionStartIncluding":"3.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.143","versionStartIncluding":"3.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.94","versionStartIncluding":"3.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.36","versionStartIncluding":"3.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.13","versionStartIncluding":"3.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"3.16","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf\n\nnetvsc_copy_to_send_buf() copies page buffer entries into the VMBus\nsend buffer using phys_to_virt() on the entry PFN. Entries for the\nRNDIS header and the skb linear data come from kmalloc'd memory and\nare always in the kernel direct map, but entries for skb fragments\nreference page cache or user pages, which on 32-bit x86 with\nCONFIG_HIGHMEM=y can live above the LOWMEM boundary. For such a page\nphys_to_virt() returns an address outside the direct map and the\nsubsequent memcpy() faults on the transmit softirq path, which is\nfatal.\n\nMap the pages with kmap_local_page() instead, handling two properties\nof the page buffer entries:\n\n - pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity,\n   not a native PFN. Reconstruct the physical address first and derive\n   the native page from it, so the mapping stays correct where\n   PAGE_SIZE > HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages).\n\n - Since commit 41a6328b2c55 (\"hv_netvsc: Preserve contiguous PFN\n   grouping in the page buffer array\"), an entry describes a full\n   physically contiguous fragment and pb[i].len can exceed PAGE_SIZE,\n   while kmap_local_page() maps a single page. Copy page by page,\n   splitting at native page boundaries.\n\nThe copy path only handles packets smaller than the send section size\n(6144 bytes by default); larger packets take the cp_partial path where\nonly the RNDIS header is copied. So entries here are bounded by the\nsection size and a copy is split at most once on 4K-page systems. On\n!CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and\nno mapping work is added."}],"providerMetadata":{"dateUpdated":"2026-06-25T08:39:08.320Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/16514afeb7d3d121072ba9a0b640d6c1c5507db0"},{"url":"https://git.kernel.org/stable/c/a82d4251918f37d9c5aab7b365157669fb885ec3"},{"url":"https://git.kernel.org/stable/c/695c59cf7bf707e6ff8cea01916ee50e86616933"},{"url":"https://git.kernel.org/stable/c/09b8a7aa5a341bb345dc492aac139525efa13515"},{"url":"https://git.kernel.org/stable/c/918c0c988239aa5ab96b254e504d191af6191061"},{"url":"https://git.kernel.org/stable/c/0b38870d81ab3a04c1ab0598d9d3285f5d9d0584"},{"url":"https://git.kernel.org/stable/c/fe7221b4346418d27ec2daccfc09df6692b76f0b"},{"url":"https://git.kernel.org/stable/c/004e9ecfe6c5384f9e0b2f6f6389d42ec22789af"}],"title":"hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53199","datePublished":"2026-06-25T08:39:08.320Z","dateReserved":"2026-06-09T07:44:35.391Z","dateUpdated":"2026-06-25T08:39:08.320Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-25 09:16:37","lastModifiedDate":"2026-06-25 09:16:37","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53199","Ordinal":"1","Title":"hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf","CVE":"CVE-2026-53199","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53199","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf\n\nnetvsc_copy_to_send_buf() copies page buffer entries into the VMBus\nsend buffer using phys_to_virt() on the entry PFN. Entries for the\nRNDIS header and the skb linear data come from kmalloc'd memory and\nare always in the kernel direct map, but entries for skb fragments\nreference page cache or user pages, which on 32-bit x86 with\nCONFIG_HIGHMEM=y can live above the LOWMEM boundary. For such a page\nphys_to_virt() returns an address outside the direct map and the\nsubsequent memcpy() faults on the transmit softirq path, which is\nfatal.\n\nMap the pages with kmap_local_page() instead, handling two properties\nof the page buffer entries:\n\n - pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity,\n   not a native PFN. Reconstruct the physical address first and derive\n   the native page from it, so the mapping stays correct where\n   PAGE_SIZE > HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages).\n\n - Since commit 41a6328b2c55 (\"hv_netvsc: Preserve contiguous PFN\n   grouping in the page buffer array\"), an entry describes a full\n   physically contiguous fragment and pb[i].len can exceed PAGE_SIZE,\n   while kmap_local_page() maps a single page. Copy page by page,\n   splitting at native page boundaries.\n\nThe copy path only handles packets smaller than the send section size\n(6144 bytes by default); larger packets take the cp_partial path where\nonly the RNDIS header is copied. So entries here are bounded by the\nsection size and a copy is split at most once on 4K-page systems. On\n!CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and\nno mapping work is added.","Type":"Description","Title":"hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf"}]}}}