CVE-2026-43271 (GCVE-0-2026-43271)

Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-11 22:21
VLAI
Title
md-cluster: fix NULL pointer dereference in process_metadata_update
Summary
In the Linux kernel, the following vulnerability has been resolved: md-cluster: fix NULL pointer dereference in process_metadata_update The function process_metadata_update() blindly dereferences the 'thread' pointer (acquired via rcu_dereference_protected) within the wait_event() macro. While the code comment states "daemon thread must exist", there is a valid race condition window during the MD array startup sequence (md_run): 1. bitmap_load() is called, which invokes md_cluster_ops->join(). 2. join() starts the "cluster_recv" thread (recv_daemon). 3. At this point, recv_daemon is active and processing messages. 4. However, mddev->thread (the main MD thread) is not initialized until later in md_run(). If a METADATA_UPDATED message is received from a remote node during this specific window, process_metadata_update() will be called while mddev->thread is still NULL, leading to a kernel panic. To fix this, we must validate the 'thread' pointer. If it is NULL, we release the held lock (no_new_dev_lockres) and return early, safely ignoring the update request as the array is not yet fully ready to process it.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 0ba959774e93911caff596de6391f085fb640ac4 , < a61c1bc84c4a0f1e7c2fe55b0f43d7d94af4adf1 (git)
Affected: 0ba959774e93911caff596de6391f085fb640ac4 , < dec123825c1ed74d98fd5fc7571a851dea4f46ff (git)
Affected: 0ba959774e93911caff596de6391f085fb640ac4 , < 721599e837d3f4c0e6cc14da059612c017b6d3ec (git)
Affected: 0ba959774e93911caff596de6391f085fb640ac4 , < dceb5a843910004cb118148e267036104fc3ee43 (git)
Affected: 0ba959774e93911caff596de6391f085fb640ac4 , < f150e753cb8dd756085f46e86f2c35ce472e0a3c (git)
Create a notification for this product.
Linux Linux Affected: 4.12
Unaffected: 0 , < 4.12 (semver)
Unaffected: 6.6.128 , ≤ 6.6.* (semver)
Unaffected: 6.12.75 , ≤ 6.12.* (semver)
Unaffected: 6.18.16 , ≤ 6.18.* (semver)
Unaffected: 6.19.6 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/md-cluster.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a61c1bc84c4a0f1e7c2fe55b0f43d7d94af4adf1",
              "status": "affected",
              "version": "0ba959774e93911caff596de6391f085fb640ac4",
              "versionType": "git"
            },
            {
              "lessThan": "dec123825c1ed74d98fd5fc7571a851dea4f46ff",
              "status": "affected",
              "version": "0ba959774e93911caff596de6391f085fb640ac4",
              "versionType": "git"
            },
            {
              "lessThan": "721599e837d3f4c0e6cc14da059612c017b6d3ec",
              "status": "affected",
              "version": "0ba959774e93911caff596de6391f085fb640ac4",
              "versionType": "git"
            },
            {
              "lessThan": "dceb5a843910004cb118148e267036104fc3ee43",
              "status": "affected",
              "version": "0ba959774e93911caff596de6391f085fb640ac4",
              "versionType": "git"
            },
            {
              "lessThan": "f150e753cb8dd756085f46e86f2c35ce472e0a3c",
              "status": "affected",
              "version": "0ba959774e93911caff596de6391f085fb640ac4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/md-cluster.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.128",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.16",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.6",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd-cluster: fix NULL pointer dereference in process_metadata_update\n\nThe function process_metadata_update() blindly dereferences the \u0027thread\u0027\npointer (acquired via rcu_dereference_protected) within the wait_event()\nmacro.\n\nWhile the code comment states \"daemon thread must exist\", there is a valid\nrace condition window during the MD array startup sequence (md_run):\n\n1. bitmap_load() is called, which invokes md_cluster_ops-\u003ejoin().\n2. join() starts the \"cluster_recv\" thread (recv_daemon).\n3. At this point, recv_daemon is active and processing messages.\n4. However, mddev-\u003ethread (the main MD thread) is not initialized until\n   later in md_run().\n\nIf a METADATA_UPDATED message is received from a remote node during this\nspecific window, process_metadata_update() will be called while\nmddev-\u003ethread is still NULL, leading to a kernel panic.\n\nTo fix this, we must validate the \u0027thread\u0027 pointer. If it is NULL, we\nrelease the held lock (no_new_dev_lockres) and return early, safely\nignoring the update request as the array is not yet fully ready to\nprocess it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:21:19.841Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a61c1bc84c4a0f1e7c2fe55b0f43d7d94af4adf1"
        },
        {
          "url": "https://git.kernel.org/stable/c/dec123825c1ed74d98fd5fc7571a851dea4f46ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/721599e837d3f4c0e6cc14da059612c017b6d3ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/dceb5a843910004cb118148e267036104fc3ee43"
        },
        {
          "url": "https://git.kernel.org/stable/c/f150e753cb8dd756085f46e86f2c35ce472e0a3c"
        }
      ],
      "title": "md-cluster: fix NULL pointer dereference in process_metadata_update",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43271",
    "datePublished": "2026-05-06T11:28:55.507Z",
    "dateReserved": "2026-05-01T14:12:55.998Z",
    "dateUpdated": "2026-05-11T22:21:19.841Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43271",
      "date": "2026-05-25",
      "epss": "0.00013",
      "percentile": "0.023"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43271\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-06T12:16:48.313\",\"lastModified\":\"2026-05-08T20:00:00.693\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmd-cluster: fix NULL pointer dereference in process_metadata_update\\n\\nThe function process_metadata_update() blindly dereferences the \u0027thread\u0027\\npointer (acquired via rcu_dereference_protected) within the wait_event()\\nmacro.\\n\\nWhile the code comment states \\\"daemon thread must exist\\\", there is a valid\\nrace condition window during the MD array startup sequence (md_run):\\n\\n1. bitmap_load() is called, which invokes md_cluster_ops-\u003ejoin().\\n2. join() starts the \\\"cluster_recv\\\" thread (recv_daemon).\\n3. At this point, recv_daemon is active and processing messages.\\n4. However, mddev-\u003ethread (the main MD thread) is not initialized until\\n   later in md_run().\\n\\nIf a METADATA_UPDATED message is received from a remote node during this\\nspecific window, process_metadata_update() will be called while\\nmddev-\u003ethread is still NULL, leading to a kernel panic.\\n\\nTo fix this, we must validate the \u0027thread\u0027 pointer. If it is NULL, we\\nrelease the held lock (no_new_dev_lockres) and return early, safely\\nignoring the update request as the array is not yet fully ready to\\nprocess it.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.12\",\"versionEndExcluding\":\"6.6.128\",\"matchCriteriaId\":\"E90AEF03-C864-4508-AA5A-71B005F9732D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.75\",\"matchCriteriaId\":\"BCE16369-98ED-41CF-8995-DFDC10B288D2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.18.16\",\"matchCriteriaId\":\"B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.6\",\"matchCriteriaId\":\"373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/721599e837d3f4c0e6cc14da059612c017b6d3ec\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a61c1bc84c4a0f1e7c2fe55b0f43d7d94af4adf1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dceb5a843910004cb118148e267036104fc3ee43\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dec123825c1ed74d98fd5fc7571a851dea4f46ff\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f150e753cb8dd756085f46e86f2c35ce472e0a3c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.