Skip to main content

Linux Kernel CVE-2026-43314

| EUVDEUVD-2026-28584 MEDIUM
Missing Release of Resource after Effective Lifetime (CWE-772)
2026-05-08 Linux GHSA-r88m-3gh4-8vp3
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 19:33 vuln.today
CVSS changed
May 15, 2026 - 17:22 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 14:33 EUVD
CVE Published
May 08, 2026 - 13:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

dm: remove fake timeout to avoid leak request

Since commit 15f73f5b3e59 ("blk-mq: move failure injection out of blk_mq_complete_request"), drivers are responsible for calling blk_should_fake_timeout() at appropriate code paths and opportunities.

However, the dm driver does not implement its own timeout handler and relies on the timeout handling of its slave devices.

If an io-timeout-fail error is injected to a dm device, the request will be leaked and never completed, causing tasks to hang indefinitely.

Reproduce:

  1. prepare dm which has iscsi slave device
  2. inject io-timeout-fail to dm

echo 1 >/sys/class/block/dm-0/io-timeout-fail echo 100 >/sys/kernel/debug/fail_io_timeout/probability echo 10 >/sys/kernel/debug/fail_io_timeout/times

  1. read/write dm
  2. iscsiadm -m node -u

Result: hang task like below [ 862.243768] INFO: task kworker/u514:2:151 blocked for more than 122 seconds. [ 862.244133] Tainted: G E 6.19.0-rc1+ #51 [ 862.244337] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 862.244718] task:kworker/u514:2 state:D stack:0 pid:151 tgid:151 ppid:2 task_flags:0x4288060 flags:0x00080000 [ 862.245024] Workqueue: iscsi_ctrl_3:1 __iscsi_unbind_session [scsi_transport_iscsi] [ 862.245264] Call Trace: [ 862.245587] <TASK> [ 862.245814] __schedule+0x810/0x15c0 [ 862.246557] schedule+0x69/0x180 [ 862.246760] blk_mq_freeze_queue_wait+0xde/0x120 [ 862.247688] elevator_change+0x16d/0x460 [ 862.247893] elevator_set_none+0x87/0xf0 [ 862.248798] blk_unregister_queue+0x12e/0x2a0 [ 862.248995] __del_gendisk+0x231/0x7e0 [ 862.250143] del_gendisk+0x12f/0x1d0 [ 862.250339] sd_remove+0x85/0x130 [sd_mod] [ 862.250650] device_release_driver_internal+0x36d/0x530 [ 862.250849] bus_remove_device+0x1dd/0x3f0 [ 862.251042] device_del+0x38a/0x930 [ 862.252095] __scsi_remove_device+0x293/0x360 [ 862.252291] scsi_remove_target+0x486/0x760 [ 862.252654] __iscsi_unbind_session+0x18a/0x3e0 [scsi_transport_iscsi] [ 862.252886] process_one_work+0x633/0xe50 [ 862.253101] worker_thread+0x6df/0xf10 [ 862.253647] kthread+0x36d/0x720 [ 862.254533] ret_from_fork+0x2a6/0x470 [ 862.255852] ret_from_fork_asm+0x1a/0x30 [ 862.256037] </TASK>

Remove the blk_should_fake_timeout() check from dm, as dm has no native timeout handling and should not attempt to fake timeouts.

AnalysisAI

Local attackers with low privileges can cause indefinite system hangs in Linux kernel device-mapper (dm) subsystem by injecting io-timeout-fail errors, triggering CWE-772 resource leaks where I/O requests are never completed. Affects longstanding kernel code from 5.10.x through mainline 6.19.x; vendor-patched versions available (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low real-world exploitation probability. No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis.

Technical ContextAI

The device-mapper (dm) subsystem in the Linux kernel provides logical volume management by mapping I/O requests from virtual block devices to underlying physical devices (slaves). Since kernel commit 15f73f5b3e59, block layer drivers became responsible for calling blk_should_fake_timeout() to support fault injection testing. However, dm lacks a native timeout handler and delegates timeout management to its slave devices (e.g., iSCSI targets). CWE-772 (Missing Release of Resource after Effective Lifetime) occurs when an io-timeout-fail error is injected via the kernel's fault injection framework: the dm layer incorrectly processes the fake timeout, causing I/O requests to leak without completion. This leaves tasks in uninterruptible sleep (D state) indefinitely, as demonstrated in the blk_mq_freeze_queue_wait() call path during device teardown. The issue spans all kernel versions from the initial git commit (1da177e4c3f4) through current development branches, affecting CPE cpe:2.3:a:linux:linux across multiple stable series.

RemediationAI

Apply vendor-released kernel updates immediately for systems using device-mapper: upgrade to Linux 7.0 (mainline), 6.19.6, 6.18.16, 6.12.75, 6.6.128, 6.1.165, 5.15.202, or 5.10.252 depending on your kernel series. Upstream fix commits are available at git.kernel.org/stable (references provided remove blk_should_fake_timeout check from dm code path). Distribution-specific advisories should be consulted for packaged kernel updates (check RHEL/Ubuntu/SUSE security repositories). If immediate patching is not feasible, implement these compensating controls: (1) restrict access to /sys/kernel/debug/ by mounting debugfs with stricter permissions or disabling CONFIG_FAULT_INJECTION_DEBUG_FS at kernel build time (trade-off: disables fault injection testing capabilities); (2) audit and restrict local user privileges to prevent PR:L access to fault injection interfaces; (3) monitor for tasks in D state via system monitoring tools as an early warning signal (check /proc/*/status for 'State: D'). Note that disabling device-mapper entirely is not practical for most systems using LVM, but limiting fault injection interface exposure significantly reduces attack surface with minimal operational impact for production environments.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43314 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy