In the Linux kernel, the following vulnerability has been resolved:
md-cluster: fix NULL pointer dereference in processmetadataupdate
The function processmetadataupdate() blindly dereferences the 'thread' pointer (acquired via rcudereferenceprotected) within the wait_event() macro.
While the code comment states "daemon thread must exist", there is a valid race condition window during the MD array startup sequence (md_run):
If a METADATAUPDATED message is received from a remote node during this specific window, processmetadata_update() will be called while mddev->thread is still NULL, leading to a kernel panic.
To fix this, we must validate the 'thread' pointer. If it is NULL, we release the held lock (nonewdev_lockres) and return early, safely ignoring the update request as the array is not yet fully ready to process it.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43271.json"
}