CVE-2026-43271
Awaiting Analysis Awaiting Analysis - Queue
NULL Pointer Dereference in Linux Kernel MD Cluster

Publication date: 2026-05-06

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: md-cluster: fix NULL pointer dereference in process_metadata_update The function process_metadata_update() blindly dereferences the 'thread' pointer (acquired via rcu_dereference_protected) within the wait_event() macro. While the code comment states "daemon thread must exist", there is a valid race condition window during the MD array startup sequence (md_run): 1. bitmap_load() is called, which invokes md_cluster_ops->join(). 2. join() starts the "cluster_recv" thread (recv_daemon). 3. At this point, recv_daemon is active and processing messages. 4. However, mddev->thread (the main MD thread) is not initialized until later in md_run(). If a METADATA_UPDATED message is received from a remote node during this specific window, process_metadata_update() will be called while mddev->thread is still NULL, leading to a kernel panic. To fix this, we must validate the 'thread' pointer. If it is NULL, we release the held lock (no_new_dev_lockres) and return early, safely ignoring the update request as the array is not yet fully ready to process it.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43271
EUVD
EUVD-2026-27666
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.7 (inc) to 6.12.75 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.16 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.6 (exc)
linux linux_kernel From 4.12 (inc) to 6.6.128 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's md-cluster component, specifically in the function process_metadata_update(). The function dereferences a 'thread' pointer without checking if it is NULL, which can happen during a race condition in the MD array startup sequence. If a METADATA_UPDATED message is received before the main MD thread is initialized, the function tries to use a NULL pointer, causing a kernel panic.

The issue arises because the 'thread' pointer is assumed to always exist, but during startup, there is a window where the 'recv_daemon' thread is active while the main MD thread is still NULL. The fix involves validating the 'thread' pointer and safely ignoring update requests if the array is not fully ready.

Impact Analysis

This vulnerability can cause a kernel panic, which leads to a system crash. Such a crash can result in downtime, potential data loss, and disruption of services running on the affected Linux system. It affects systems using the md-cluster functionality during the startup of MD arrays.

Mitigation Strategies

The vulnerability is caused by a NULL pointer dereference in the Linux kernel's md-cluster module during the MD array startup sequence.

To mitigate this vulnerability, ensure that your Linux kernel is updated to a version where the fix has been applied. The fix involves validating the 'thread' pointer in process_metadata_update() and safely ignoring update requests if the array is not fully ready.

Until you can update, avoid scenarios where METADATA_UPDATED messages might be received during the MD array startup sequence, as this triggers the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart