CVE-2026-43278

Source
https://cve.org/CVERecord?id=CVE-2026-43278
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43278.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-43278
Downstream
Published
2026-05-06T11:29:00.193Z
Modified
2026-06-18T03:55:54.549856447Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
dm: clear cloned request bio pointer when last clone bio completes
Details

In the Linux kernel, the following vulnerability has been resolved:

dm: clear cloned request bio pointer when last clone bio completes

Stale rq->bio values have been observed to cause double-initialization of cloned bios in request-based device-mapper targets, leading to use-after-free and double-free scenarios.

One such case occurs when using dm-multipath on top of a PCIe NVMe namespace, where cloned request bios are freed during blkcompleterequest(), but rq->bio is left intact. Subsequent clone teardown then attempts to free the same bios again via blkrqunprep_clone().

The resulting double-free path looks like:

nvmepcicompletebatch() nvmecompletebatch() blkmqendrequestbatch() blkcompleterequest() // called on a DM clone request bioendio() // first free of all clone bios ... rq->endio() // endclonerequest() dmcompleterequest(tio->orig) dmsoftirqdone() dmdone() dmendrequest() blkrqunprep_clone() // second free of clone bios

Fix this by clearing the clone request's bio pointer when the last cloned bio completes, ensuring that later teardown paths do not attempt to free already-released bios.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43278.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ab3e1d3bbab9e973aeb4dd4603251578658a47ff
Fixed
8d9ddad561136f7e6a9346767bf97b4d79e38e67
Fixed
7daf279c674d515fb22a727a7bbc92aeb35c5442
Fixed
e2e738e8dfbbf83bd2bae0467ec4420cc52da42a
Fixed
b1c1a2637ebd675aa2d71fee8c70da8791d73850
Fixed
83d72091804600ead96dc9e9f518ea56cb4942f6
Fixed
fb8a6c18fb9a6561f7a15b58b272442b77a242dd

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43278.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.1.165
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.128
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.16
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.6

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43278.json"