Skip to main content

Linux Kernel CVE-2026-43163

| EUVDEUVD-2026-27726 MEDIUM
Race Condition (CWE-362)
2026-05-06 Linux GHSA-4hfr-m4m2-94ff
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
4.7 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 12:04 vuln.today
CVSS changed
May 13, 2026 - 21:22 NVD
4.7 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

md/bitmap: fix GPF in write_page caused by resize race

A General Protection Fault occurs in write_page() during array resize: RIP: 0010:write_page+0x22b/0x3c0 [md_mod]

This is a use-after-free race between bitmap_daemon_work() and __bitmap_resize(). The daemon iterates over bitmap->storage.filemap without locking, while the resize path frees that storage via md_bitmap_file_unmap(). quiesce() does not stop the md thread, allowing concurrent access to freed pages.

Fix by holding mddev->bitmap_info.mutex during the bitmap update.

AnalysisAI

Use-after-free in the Linux kernel's md/bitmap subsystem triggers a General Protection Fault (GPF) in write_page() during MD array resize operations, resulting in a kernel crash and denial of service. Affected are systems using Software RAID (md) with bitmap support across a wide range of stable kernel series from 3.5 through 7.0, with patches backported to 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, and 6.19.6. No public exploit code exists and the EPSS score of 0.02% (7th percentile) indicates very low exploitation probability; however, Red Hat has issued a formal advisory (RHSA-2026:19568), confirming vendor acknowledgment.

Technical ContextAI

The vulnerability resides in the Linux kernel's multiple-device (md) driver, specifically its bitmap subsystem (md_mod kernel module). The md subsystem implements software RAID, and the bitmap component tracks dirty regions for rebuild optimization. The race condition (CWE-362) exists between two concurrent kernel threads: bitmap_daemon_work(), which periodically flushes bitmap pages by iterating over bitmap->storage.filemap, and __bitmap_resize(), which reallocates that same storage structure during an array resize operation. The resize path calls md_bitmap_file_unmap() to free the existing filemap pages, but because bitmap_daemon_work() accesses filemap without holding mddev->bitmap_info.mutex, a concurrent daemon iteration can dereference a freed page pointer. The quiesce() call in the resize path does not halt the md thread, leaving the window open. The resulting General Protection Fault - a hardware fault triggered by a memory access violation - manifests at write_page+0x22b/0x3c0. The CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* confirms the scope is the upstream Linux kernel across all architectures. The fix serializes bitmap updates by acquiring mddev->bitmap_info.mutex before the daemon iterates filemap.

RemediationAI

The primary fix is to upgrade to a patched kernel version: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, or 6.19.6 depending on the stable branch in use; mainline 7.0 also contains the fix. The upstream fix commits are documented across eight stable-branch patches at https://git.kernel.org/stable/c/140cc839fbeb1ddb33a8da8811b716d88d3905b7 and related commits. Red Hat users should apply the update referenced in RHSA-2026:19568. SUSE users should monitor SUSE Security Advisories for a corresponding SUSE Linux Enterprise kernel update. If immediate patching is not possible, the compensating control is to avoid performing md array resize operations (mdadm --grow) while the md bitmap daemon is active on production systems. Operators can temporarily disable the bitmap (mdadm --grow --bitmap=none) before resizing and re-enable it afterward, trading rebuild-efficiency for safety during the unpatched window. This workaround eliminates the vulnerable code path at the cost of slower RAID rebuild performance if a disk fails during the maintenance window.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43163 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy