From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-cve-announce@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@kernel.org>
Subject: CVE-2026-53199: hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
Date: Thu, 25 Jun 2026 09:40:47 +0100 [thread overview]
Message-ID: <2026062500-CVE-2026-53199-e12a@gregkh> (raw)
From: Greg Kroah-Hartman <gregkh@kernel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
netvsc_copy_to_send_buf() copies page buffer entries into the VMBus
send buffer using phys_to_virt() on the entry PFN. Entries for the
RNDIS header and the skb linear data come from kmalloc'd memory and
are always in the kernel direct map, but entries for skb fragments
reference page cache or user pages, which on 32-bit x86 with
CONFIG_HIGHMEM=y can live above the LOWMEM boundary. For such a page
phys_to_virt() returns an address outside the direct map and the
subsequent memcpy() faults on the transmit softirq path, which is
fatal.
Map the pages with kmap_local_page() instead, handling two properties
of the page buffer entries:
- pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity,
not a native PFN. Reconstruct the physical address first and derive
the native page from it, so the mapping stays correct where
PAGE_SIZE > HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages).
- Since commit 41a6328b2c55 ("hv_netvsc: Preserve contiguous PFN
grouping in the page buffer array"), an entry describes a full
physically contiguous fragment and pb[i].len can exceed PAGE_SIZE,
while kmap_local_page() maps a single page. Copy page by page,
splitting at native page boundaries.
The copy path only handles packets smaller than the send section size
(6144 bytes by default); larger packets take the cp_partial path where
only the RNDIS header is copied. So entries here are bounded by the
section size and a copy is split at most once on 4K-page systems. On
!CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and
no mapping work is added.
The Linux kernel CVE team has assigned CVE-2026-53199 to this issue.
Affected and fixed versions
===========================
Issue introduced in 3.16 with commit c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e and fixed in 5.10.259 with commit 16514afeb7d3d121072ba9a0b640d6c1c5507db0
Issue introduced in 3.16 with commit c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e and fixed in 5.15.210 with commit a82d4251918f37d9c5aab7b365157669fb885ec3
Issue introduced in 3.16 with commit c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e and fixed in 6.1.176 with commit 695c59cf7bf707e6ff8cea01916ee50e86616933
Issue introduced in 3.16 with commit c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e and fixed in 6.6.143 with commit 09b8a7aa5a341bb345dc492aac139525efa13515
Issue introduced in 3.16 with commit c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e and fixed in 6.12.94 with commit 918c0c988239aa5ab96b254e504d191af6191061
Issue introduced in 3.16 with commit c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e and fixed in 6.18.36 with commit 0b38870d81ab3a04c1ab0598d9d3285f5d9d0584
Issue introduced in 3.16 with commit c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e and fixed in 7.0.13 with commit fe7221b4346418d27ec2daccfc09df6692b76f0b
Issue introduced in 3.16 with commit c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e and fixed in 7.1 with commit 004e9ecfe6c5384f9e0b2f6f6389d42ec22789af
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2026-53199
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/net/hyperv/netvsc.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/16514afeb7d3d121072ba9a0b640d6c1c5507db0
https://git.kernel.org/stable/c/a82d4251918f37d9c5aab7b365157669fb885ec3
https://git.kernel.org/stable/c/695c59cf7bf707e6ff8cea01916ee50e86616933
https://git.kernel.org/stable/c/09b8a7aa5a341bb345dc492aac139525efa13515
https://git.kernel.org/stable/c/918c0c988239aa5ab96b254e504d191af6191061
https://git.kernel.org/stable/c/0b38870d81ab3a04c1ab0598d9d3285f5d9d0584
https://git.kernel.org/stable/c/fe7221b4346418d27ec2daccfc09df6692b76f0b
https://git.kernel.org/stable/c/004e9ecfe6c5384f9e0b2f6f6389d42ec22789af
reply other threads:[~2026-06-25 8:47 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026062500-CVE-2026-53199-e12a@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=cve@kernel.org \
--cc=gregkh@kernel.org \
--cc=linux-cve-announce@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.