Skip to main content

Linux Kernel EUVDEUVD-2026-27674

| CVE-2026-43278 HIGH
Double Free (CWE-415)
2026-05-06 Linux GHSA-vwc3-h3w8-q85f
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:45 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:29 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

dm: clear cloned request bio pointer when last clone bio completes

Stale rq->bio values have been observed to cause double-initialization of cloned bios in request-based device-mapper targets, leading to use-after-free and double-free scenarios.

One such case occurs when using dm-multipath on top of a PCIe NVMe namespace, where cloned request bios are freed during blk_complete_request(), but rq->bio is left intact. Subsequent clone teardown then attempts to free the same bios again via blk_rq_unprep_clone().

The resulting double-free path looks like:

nvme_pci_complete_batch() nvme_complete_batch() blk_mq_end_request_batch() blk_complete_request() // called on a DM clone request bio_endio() // first free of all clone bios ... rq->end_io() // end_clone_request() dm_complete_request(tio->orig) dm_softirq_done() dm_done() dm_end_request() blk_rq_unprep_clone() // second free of clone bios

Fix this by clearing the clone request's bio pointer when the last cloned bio completes, ensuring that later teardown paths do not attempt to free already-released bios.

AnalysisAI

Double-free memory corruption in Linux kernel device-mapper subsystem allows local authenticated users to trigger use-after-free conditions, potentially leading to privilege escalation or denial of service. The vulnerability manifests when using request-based DM targets (e.g., dm-multipath) over NVMe devices, where cloned request bios are freed twice due to stale bio pointers in clone requests. Vendor patches available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% indicates low predicted exploitation probability; no active exploitation confirmed at time of analysis.

Technical ContextAI

This vulnerability affects the Linux kernel's device-mapper (DM) layer, specifically in request-based targets like dm-multipath when layered over NVMe block devices. The bug stems from incomplete cleanup of cloned bio structures during request completion. In the block I/O subsystem, the device-mapper creates cloned bios for request routing, but the original request's bio pointer (rq->bio) is not cleared after the cloned bios are freed in blk_complete_request(). When the DM completion path (end_clone_request → dm_end_request → blk_rq_unprep_clone) executes, it attempts to free the same bio structures again. This represents a classic object lifecycle management error where ownership semantics are unclear between the block layer's batch completion path and the device-mapper's clone teardown logic. The affected CPE indicates all Linux kernel versions from the initial git commit (1da177e4c3f4) through the patched commits, though practical exploitation requires specific configurations using request-based DM targets.

RemediationAI

Upgrade to patched Linux kernel versions: 5.10.252+ (for 5.10.x users), 5.15.202+ (for 5.15.x), 6.1.165+ (for 6.1.x LTS), 6.6.128+ (for 6.6.x LTS), 6.12.75+ (for 6.12.x stable), 6.18.16+ (for 6.18.x), 6.19.6+ (for 6.19.x), or 7.0+ for mainline. Patches available at https://git.kernel.org/stable/c/e2e738e8dfbbf83bd2bae0467ec4420cc52da42a and related commits. For environments unable to patch immediately, specific compensating controls include: (1) disable dm-multipath on NVMe devices and use native NVMe multipath (nvme-cli multipath) instead, which avoids the request-based DM layer entirely-trade-off is loss of DM-specific path management features; (2) migrate NVMe workloads to direct device access without DM layering if multipath not required-reduces flexibility but eliminates attack surface; (3) restrict local user access to systems running vulnerable configurations via PAM/SELinux policies limiting access to users requiring multipath storage-reduces exploitability but does not eliminate risk from already-authenticated users. Note that disabling dm-multipath requires storage reconfiguration and may cause service disruption during migration. Kernel live-patching services (kpatch, kGraft) may provide hotfix deployment without reboot for supported distributions.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27674 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy