Skip to main content

Linux Kernel CVE-2026-43364

| EUVDEUVD-2026-28670 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-08 Linux GHSA-f4x6-g3j5-68gm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 18:31 vuln.today
CVSS changed
May 15, 2026 - 16:22 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ublk: fix NULL pointer dereference in ublk_ctrl_set_size()

ublk_ctrl_set_size() unconditionally dereferences ub->ub_disk via set_capacity_and_notify() without checking if it is NULL.

ub->ub_disk is NULL before UBLK_CMD_START_DEV completes (it is only assigned in ublk_ctrl_start_dev()) and after UBLK_CMD_STOP_DEV runs (ublk_detach_disk() sets it to NULL). Since the UBLK_CMD_UPDATE_SIZE handler performs no state validation, a user can trigger a NULL pointer dereference by sending UPDATE_SIZE to a device that has been added but not yet started, or one that has been stopped.

Fix this by checking ub->ub_disk under ub->mutex before dereferencing it, and returning -ENODEV if the disk is not available.

AnalysisAI

NULL pointer dereference in Linux kernel's ublk driver allows local authenticated users to crash the system by sending UBLK_CMD_UPDATE_SIZE to a device before it starts or after it stops. The vulnerability exists in ublk_ctrl_set_size() which unconditionally dereferences ub->ub_disk without validating the device state, triggering a kernel panic and causing a denial of service. Patches are available from the Linux kernel maintainers for versions 6.18.20, 6.19.9, and 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, consistent with the local-only attack vector and absence from CISA KEV.

Technical ContextAI

This vulnerability affects the ublk (userspace block device) subsystem in the Linux kernel, introduced in commit 98b995660bff011d8e00af03abd74ac7d1ac1390. The ublk driver allows userspace programs to implement block devices with kernel performance characteristics. The flaw is a classic CWE-476 NULL pointer dereference where the ublk_ctrl_set_size() function calls set_capacity_and_notify() on ub->ub_disk without checking if the pointer is NULL. The ub->ub_disk member is only initialized in ublk_ctrl_start_dev() after UBLK_CMD_START_DEV completes, and is set to NULL by ublk_detach_disk() during UBLK_CMD_STOP_DEV. Because the UBLK_CMD_UPDATE_SIZE ioctl handler performs no state validation, it can be invoked during these windows when ub->ub_disk is NULL. The fix adds proper mutex-protected state checking before dereferencing the pointer, returning -ENODEV if the disk is unavailable.

RemediationAI

Upgrade to patched Linux kernel versions 6.18.20, 6.19.9, 7.0 or later stable releases that include the NULL pointer check fix in ublk_ctrl_set_size(). Patches are available from the Linux kernel stable tree at https://git.kernel.org/stable/c/f13fe6794726755a43090cb680c4c58cea6aa5f1 (stable branch), https://git.kernel.org/stable/c/c28d945bfa92e15147e93b73f95345b9bec979b0 (alternate stable), and https://git.kernel.org/stable/c/25966fc097691e5c925ad080f64a2f19c5fd940a (mainline integration). If immediate patching is not feasible, restrict access to the ublk device interface by limiting user permissions to create or interact with ublk devices via appropriate udev rules or capability restrictions (CAP_SYS_ADMIN requirements). This compensating control reduces attack surface but does not eliminate risk if privileged processes interact with ublk devices on behalf of lower-privileged users. Alternatively, disable or blacklist the ublk kernel module if the userspace block device functionality is not required for operations (via /etc/modprobe.d/blacklist.conf entry for ublk_drv), though this prevents legitimate use of ublk features. Verify patch application by checking kernel version and confirming the presence of state validation in ublk_ctrl_set_size() via kernel source inspection or vendor security advisories.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43364 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy