user_ref race → double-free → OOB write
CVE-2026-43121 is a medium-severity vulnerability affecting Linux Kernel io_uring/zcrx: user_ref race → double-free → OOB write.
Reported by Kai Aizen. Status: Published. Coordinated through standard NVD/MITRE/GHSA channels.
CVE-2026-43121 is a race condition in the Linux kernel's io_uring zerocopy-receive (zcrx) path. Operations on user_refs were not atomic, so concurrent threads can race the reference count to zero twice, producing a double-free that can be steered into an out-of-bounds write.
You are affected if your Linux kernel exposes io_uring zcrx and is older than the upstream fix. Cloud and container hosts running unprivileged workloads with io_uring enabled are the primary risk. Distributions ship backported fixes — apply the kernel update from your vendor.
Apply the upstream fix that converts user_refs operations to atomic primitives (mainline commit by Kai Aizen). On systems where a kernel upgrade is not immediately possible, restrict io_uring usage via /proc/sys/kernel/io_uring_disabled, by namespace policy, or by seccomp filtering of io_uring_setup() for untrusted workloads.
Local privilege escalation primitive — double-free plus OOB write in kernel memory. CVSS 4.7 Medium; exploitation complexity is high but the resulting primitive is powerful.
Upstream mainline commit on git.kernel.org, NVD at https://nvd.nist.gov/vuln/detail/CVE-2026-43121, MITRE CVE record, and the snailsploit writeup at /security-research/general/io-uring-zcrx-race-condition/.