{
  "threat_severity" : "Low",
  "public_date" : "2026-05-05T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: x86-64: rename misleadingly named '__copy_user_nocache()' function",
    "id" : "2466792",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2466792"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-440",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nx86-64: rename misleadingly named '__copy_user_nocache()' function\nThis function was a masterclass in bad naming, for various historical\nreasons.\nIt claimed to be a non-cached user copy.  It is literally _neither_ of\nthose things.  It's a specialty memory copy routine that uses\nnon-temporal stores for the destination (but not the source), and that\ndoes exception handling for both source and destination accesses.\nAlso note that while it works for unaligned targets, any unaligned parts\n(whether at beginning or end) will not use non-temporal stores, since\nonly words and quadwords can be non-temporal on x86.\nThe exception handling means that it _can_ be used for user space\naccesses, but not on its own - it needs all the normal \"start user space\naccess\" logic around it.\nBut typically the user space access would be the source, not the\nnon-temporal destination.  That was the original intention of this,\nwhere the destination was some fragile persistent memory target that\nneeded non-temporal stores in order to catch machine check exceptions\nsynchronously and deal with them gracefully.\nThus that non-descriptive name: one use case was to copy from user space\ninto a non-cached kernel buffer.  However, the existing users are a mix\nof that intended use-case, and a couple of random drivers that just did\nthis as a performance tweak.\nSome of those random drivers then actively misused the user copying\nversion (with STAC/CLAC and all) to do kernel copies without ever even\ncaring about the exception handling, _just_ for the non-temporal\ndestination.\nRename it as a first small step to actually make it halfway sane, and\nchange the prototype to be more normal: it doesn't take a user pointer\nunless the caller has done the proper conversion, and the argument size\nis the full size_t (it still won't actually copy more than 4GB in one\ngo, but there's also no reason to silently truncate the size argument in\nthe caller).\nFinally, use this now sanely named function in the NTB code, which\nmis-used a user copy version (with STAC/CLAC and all) of this interface\ndespite it not actually being a user copy at all.", "A flaw was found in the Linux kernel. The `__copy_user_nocache()` function had a misleading name, which led to its incorrect use by certain kernel components (drivers). These drivers performed kernel memory copies without properly considering the function's exception handling mechanisms. This improper usage could potentially lead to system instability or a denial of service (DoS)." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-43073\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43073\nhttps://lore.kernel.org/linux-cve-announce/2026050558-CVE-2026-43073-24cf@gregkh/T" ],
  "name" : "CVE-2026-43073",
  "csaw" : false
}