CVE-2026-43271

Source
https://cve.org/CVERecord?id=CVE-2026-43271
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43271.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-43271
Downstream
Published
2026-05-06T11:28:55.507Z
Modified
2026-06-18T03:56:20.629993279Z
Summary
md-cluster: fix NULL pointer dereference in process_metadata_update
Details

In the Linux kernel, the following vulnerability has been resolved:

md-cluster: fix NULL pointer dereference in processmetadataupdate

The function processmetadataupdate() blindly dereferences the 'thread' pointer (acquired via rcudereferenceprotected) within the wait_event() macro.

While the code comment states "daemon thread must exist", there is a valid race condition window during the MD array startup sequence (md_run):

  1. bitmapload() is called, which invokes mdcluster_ops->join().
  2. join() starts the "clusterrecv" thread (recvdaemon).
  3. At this point, recv_daemon is active and processing messages.
  4. However, mddev->thread (the main MD thread) is not initialized until later in md_run().

If a METADATAUPDATED message is received from a remote node during this specific window, processmetadata_update() will be called while mddev->thread is still NULL, leading to a kernel panic.

To fix this, we must validate the 'thread' pointer. If it is NULL, we release the held lock (nonewdev_lockres) and return early, safely ignoring the update request as the array is not yet fully ready to process it.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43271.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0ba959774e93911caff596de6391f085fb640ac4
Fixed
a61c1bc84c4a0f1e7c2fe55b0f43d7d94af4adf1
Fixed
dec123825c1ed74d98fd5fc7571a851dea4f46ff
Fixed
721599e837d3f4c0e6cc14da059612c017b6d3ec
Fixed
dceb5a843910004cb118148e267036104fc3ee43
Fixed
f150e753cb8dd756085f46e86f2c35ce472e0a3c

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43271.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.12.0
Fixed
6.6.128
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.16
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.6

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43271.json"