GHSA-3R8G-C43C-9GW2

Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-08 21:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

md-cluster: fix NULL pointer dereference in process_metadata_update

The function process_metadata_update() blindly dereferences the 'thread' pointer (acquired via rcu_dereference_protected) within the wait_event() macro.

While the code comment states "daemon thread must exist", there is a valid race condition window during the MD array startup sequence (md_run):

  1. bitmap_load() is called, which invokes md_cluster_ops->join().
  2. join() starts the "cluster_recv" thread (recv_daemon).
  3. At this point, recv_daemon is active and processing messages.
  4. However, mddev->thread (the main MD thread) is not initialized until later in md_run().

If a METADATA_UPDATED message is received from a remote node during this specific window, process_metadata_update() will be called while mddev->thread is still NULL, leading to a kernel panic.

To fix this, we must validate the 'thread' pointer. If it is NULL, we release the held lock (no_new_dev_lockres) and return early, safely ignoring the update request as the array is not yet fully ready to process it.

Severity ?
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-43271"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T12:16:48Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd-cluster: fix NULL pointer dereference in process_metadata_update\n\nThe function process_metadata_update() blindly dereferences the \u0027thread\u0027\npointer (acquired via rcu_dereference_protected) within the wait_event()\nmacro.\n\nWhile the code comment states \"daemon thread must exist\", there is a valid\nrace condition window during the MD array startup sequence (md_run):\n\n1. bitmap_load() is called, which invokes md_cluster_ops-\u003ejoin().\n2. join() starts the \"cluster_recv\" thread (recv_daemon).\n3. At this point, recv_daemon is active and processing messages.\n4. However, mddev-\u003ethread (the main MD thread) is not initialized until\n   later in md_run().\n\nIf a METADATA_UPDATED message is received from a remote node during this\nspecific window, process_metadata_update() will be called while\nmddev-\u003ethread is still NULL, leading to a kernel panic.\n\nTo fix this, we must validate the \u0027thread\u0027 pointer. If it is NULL, we\nrelease the held lock (no_new_dev_lockres) and return early, safely\nignoring the update request as the array is not yet fully ready to\nprocess it.",
  "id": "GHSA-3r8g-c43c-9gw2",
  "modified": "2026-05-08T21:31:21Z",
  "published": "2026-05-06T12:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43271"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/721599e837d3f4c0e6cc14da059612c017b6d3ec"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a61c1bc84c4a0f1e7c2fe55b0f43d7d94af4adf1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dceb5a843910004cb118148e267036104fc3ee43"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dec123825c1ed74d98fd5fc7571a851dea4f46ff"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f150e753cb8dd756085f46e86f2c35ce472e0a3c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.