CVE-2026-43278
Awaiting Analysis Awaiting Analysis - Queue
Double-Free in Linux Kernel Device Mapper

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: dm: clear cloned request bio pointer when last clone bio completes Stale rq->bio values have been observed to cause double-initialization of cloned bios in request-based device-mapper targets, leading to use-after-free and double-free scenarios. One such case occurs when using dm-multipath on top of a PCIe NVMe namespace, where cloned request bios are freed during blk_complete_request(), but rq->bio is left intact. Subsequent clone teardown then attempts to free the same bios again via blk_rq_unprep_clone(). The resulting double-free path looks like: nvme_pci_complete_batch() nvme_complete_batch() blk_mq_end_request_batch() blk_complete_request() // called on a DM clone request bio_endio() // first free of all clone bios ... rq->end_io() // end_clone_request() dm_complete_request(tio->orig) dm_softirq_done() dm_done() dm_end_request() blk_rq_unprep_clone() // second free of clone bios Fix this by clearing the clone request's bio pointer when the last cloned bio completes, ensuring that later teardown paths do not attempt to free already-released bios.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43278
EUVD
EUVD-2026-27674
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel *
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's device-mapper (dm) subsystem. It involves a flaw where cloned request bio pointers are not cleared properly when the last cloned bio completes. This leads to stale bio pointers causing double-initialization of cloned bios, which in turn can cause use-after-free and double-free memory errors.

Specifically, when using dm-multipath on top of a PCIe NVMe namespace, cloned request bios are freed during the completion of a block request, but the original bio pointer in the request structure remains set. Later, when the clone teardown process runs, it attempts to free these bios again, causing a double-free scenario.

The fix involves clearing the bio pointer in the clone request once the last cloned bio completes, preventing the second free attempt and avoiding the use-after-free and double-free issues.


How can this vulnerability impact me? :

This vulnerability can lead to memory corruption issues such as use-after-free and double-free errors in the Linux kernel's device-mapper subsystem. Such memory errors can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.

If exploited, it could compromise the integrity and availability of systems using dm-multipath on PCIe NVMe devices, potentially leading to denial of service or escalation of privileges.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by clearing the cloned request bio pointer when the last cloned bio completes, preventing double-free scenarios.

To mitigate this vulnerability immediately, update your Linux kernel to a version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart