Skip to main content

Linux Kernel EUVDEUVD-2026-31277

| CVE-2026-43499 HIGH
Use After Free (CWE-416)
2026-05-21 Linux GHSA-cqc6-9f34-295v
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 13:29 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 21, 2026 - 13:01 EUVD
CVE Published
May 21, 2026 - 12:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 21, 2026 - 12:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

rtmutex: Use waiter::task instead of current in remove_waiter()

remove_waiter() is used by the slowlock paths, but it is also used for proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from futex_requeue().

In the latter case waiter::task is not current, but remove_waiter() operates on current for the dequeue operation. That results in several problems:

  1. the rbtree dequeue happens without waiter::task::pi_lock being held
  2. the waiter task's pi_blocked_on state is not cleared, which leaves a

dangling pointer primed for UAF around.

  1. rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter

task

Use waiter::task instead of current in all related operations in remove_waiter() to cure those problems.

[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the changelog ]

AnalysisAI

Local privilege escalation and potential memory corruption in the Linux kernel's rtmutex (real-time mutex) subsystem stems from remove_waiter() incorrectly operating on the current task instead of waiter::task during proxy-lock rollback in futex_requeue() paths. Exploitation can leave a dangling pi_blocked_on pointer primed for a use-after-free, with CVSS 7.8 (AV:L/AC:L/PR:L/UI:N) reflecting local low-privileged access. EPSS is 0.02% (7th percentile) and no public exploit identified at time of analysis, but the UAF primitive is a known building block for kernel privilege escalation.

Technical ContextAI

The rtmutex implementation underpins PI-futexes and other priority-inheritance locking in the Linux kernel. In rt_mutex_start_proxy_lock(), invoked from futex_requeue(), remove_waiter() is called on behalf of a waiter that is not the current task. The buggy code dequeued the waiter using current's pi_lock and never cleared the real waiter task's pi_blocked_on field, producing three concrete defects: an rbtree dequeue without the proper pi_lock held, a dangling pi_blocked_on pointer (a classic use-after-free precondition), and rt_mutex_adjust_prio_chain() walking the wrong top-priority waiter. The fix switches all related operations in remove_waiter() to use waiter::task. The affected CPE is cpe:2.3:a:linux:linux:*, with the regression traced back to commit 8161239a8bcce9 (around Linux 2.6.39).

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 (or later) depending on the stable series in use, applying the corresponding commits from git.kernel.org (8a1fc8d698ac, 6d52dfcb2a5d, 3fb7394a8377, 3bfdc63936dd, 88614876370a). On distribution kernels, install the vendor kernel update once your distro (RHEL, SUSE, Ubuntu, Debian, Amazon Linux, etc.) ships the backport and reboot, since rtmutex/futex code cannot be live-patched safely in all cases - schedule a maintenance window. Where patching must be delayed, reduce exposure by restricting local shell and container-escape surface: minimize untrusted local users, enable seccomp profiles that block or constrain the futex() syscall (especially FUTEX_CMP_REQUEUE_PI) for untrusted workloads, and enforce user namespace and capability restrictions; note the trade-off that broad futex restrictions can break glibc pthread condition variables and PI-aware real-time workloads, so test before rolling out. There is no meaningful network-side mitigation because the attack vector is local.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed

Share

EUVD-2026-31277 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy