CVE-2026-43364
Received Received - Intake
Null pointer dereference in Linux kernel ublk subsystem

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ublk: fix NULL pointer dereference in ublk_ctrl_set_size() ublk_ctrl_set_size() unconditionally dereferences ub->ub_disk via set_capacity_and_notify() without checking if it is NULL. ub->ub_disk is NULL before UBLK_CMD_START_DEV completes (it is only assigned in ublk_ctrl_start_dev()) and after UBLK_CMD_STOP_DEV runs (ublk_detach_disk() sets it to NULL). Since the UBLK_CMD_UPDATE_SIZE handler performs no state validation, a user can trigger a NULL pointer dereference by sending UPDATE_SIZE to a device that has been added but not yet started, or one that has been stopped. Fix this by checking ub->ub_disk under ub->mutex before dereferencing it, and returning -ENODEV if the disk is not available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43364
EUVD
EUVD-2026-28670
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's ublk subsystem, specifically in the function ublk_ctrl_set_size(). The function dereferences a pointer ub->ub_disk without checking if it is NULL. This pointer is NULL before the device start command (UBLK_CMD_START_DEV) completes and after the device stop command (UBLK_CMD_STOP_DEV) runs. Because the UBLK_CMD_UPDATE_SIZE handler does not validate the device state, an attacker can cause a NULL pointer dereference by sending an UPDATE_SIZE command to a device that is either added but not started or has been stopped.

The issue is fixed by adding a check for ub->ub_disk under a mutex before dereferencing it, returning an error (-ENODEV) if the disk is not available.


How can this vulnerability impact me? :

This vulnerability can lead to a NULL pointer dereference in the Linux kernel, which typically results in a kernel crash or system instability. An attacker with the ability to send specific commands to the ublk device can exploit this to cause a denial of service (DoS) by crashing the system or disrupting its normal operation.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update your Linux kernel to a version that includes the fix for the NULL pointer dereference in ublk_ctrl_set_size().

The fix involves checking the ub->ub_disk pointer under ub->mutex before dereferencing it and returning an error if the disk is not available, preventing the NULL pointer dereference.

Until the update is applied, avoid sending UBLK_CMD_UPDATE_SIZE commands to devices that have been added but not yet started, or to devices that have been stopped.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart