CVE-2026-43271

EUVD-2026-27666

06.05.2026, 12:16

In the Linux kernel, the following vulnerability has been resolved:

md-cluster: fix NULL pointer dereference in process_metadata_update

The function process_metadata_update() blindly dereferences the 'thread'
pointer (acquired via rcu_dereference_protected) within the wait_event()
macro.

While the code comment states "daemon thread must exist", there is a valid
race condition window during the MD array startup sequence (md_run):

1. bitmap_load() is called, which invokes md_cluster_ops->join().
2. join() starts the "cluster_recv" thread (recv_daemon).
3. At this point, recv_daemon is active and processing messages.
4. However, mddev->thread (the main MD thread) is not initialized until
   later in md_run().

If a METADATA_UPDATED message is received from a remote node during this
specific window, process_metadata_update() will be called while
mddev->thread is still NULL, leading to a kernel panic.

To fix this, we must validate the 'thread' pointer. If it is NULL, we
release the held lock (no_new_dev_lockres) and return early, safely
ignoring the update request as the array is not yet fully ready to
process it.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	4.12 ≤ 𝑥 < 6.6.128
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.75
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.16
linux	linux_kernel	6.19 ≤ 𝑥 < 6.19.6

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	6.19.14-1 fixed
sid	7.0.4-1 fixed
trixie	vulnerable
trixie (security)	6.12.86-1 fixed

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um nicht spezifizierte Angriffe durchzuführen, möglicherweise Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren oder offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.
Published: 2026-05-06T22:00:00+00:00

References

https://git.kernel.org/stable/c/721599e837d3f4c0e6cc14da059612c017b6d3ec

https://git.kernel.org/stable/c/a61c1bc84c4a0f1e7c2fe55b0f43d7d94af4adf1

https://git.kernel.org/stable/c/dceb5a843910004cb118148e267036104fc3ee43

https://git.kernel.org/stable/c/dec123825c1ed74d98fd5fc7571a851dea4f46ff

https://git.kernel.org/stable/c/f150e753cb8dd756085f46e86f2c35ce472e0a3c