CVE-2026-43499

Analyzed Analyzed - Analysis Complete

Race Condition in Linux Kernel rtmutex Component

Publication date: 2026-05-21

Last updated on: 2026-06-26

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: rtmutex: Use waiter::task instead of current in remove_waiter() remove_waiter() is used by the slowlock paths, but it is also used for proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from futex_requeue(). In the latter case waiter::task is not current, but remove_waiter() operates on current for the dequeue operation. That results in several problems: 1) the rbtree dequeue happens without waiter::task::pi_lock being held 2) the waiter task's pi_blocked_on state is not cleared, which leaves a dangling pointer primed for UAF around. 3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter task Use waiter::task instead of current in all related operations in remove_waiter() to cure those problems. [ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the changelog ]

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-21

Last Modified

2026-06-26

Generated

2026-06-30

AI Q&A

2026-05-21

EPSS Evaluated

2026-06-29

NVD

CVE-2026-43499

EUVD

EUVD-2026-31277

Affected Vendors & Products

Vendor	Product	Version / Range
linux	linux_kernel	From 6.7 (inc) to 6.12.86 (exc)
linux	linux_kernel	From 6.2 (inc) to 6.6.140 (exc)
linux	linux_kernel	From 6.13 (inc) to 6.18.27 (exc)
linux	linux_kernel	From 6.19 (inc) to 7.0.4 (exc)
linux	linux_kernel	From 2.6.39 (inc) to 6.1.175 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-416	The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

Executive Summary

This vulnerability exists in the Linux kernel's real-time mutex (rtmutex) implementation, specifically in the remove_waiter() function. The function incorrectly uses the current task instead of the waiter::task when removing a waiter from the queue during certain operations like proxy-lock rollback invoked from futex_requeue().

The rbtree dequeue operation happens without holding the pi_lock of the waiter task.
The pi_blocked_on state of the waiter task is not cleared, leaving a dangling pointer that could lead to use-after-free (UAF) issues.
The priority adjustment function rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter task.

The fix involves using waiter::task instead of current in all related operations within remove_waiter() to address these problems.

Impact Analysis

This vulnerability can lead to incorrect handling of real-time mutex waiters in the Linux kernel, potentially causing system instability or unexpected behavior.

Specifically, the dangling pointer from the uncleared pi_blocked_on state could result in use-after-free conditions, which attackers might exploit to cause crashes or escalate privileges.

Additionally, incorrect priority adjustments could affect real-time task scheduling, leading to performance degradation or priority inversion issues.

Mitigation Strategies

The vulnerability is resolved by updating the Linux kernel to a version where the fix is applied. Specifically, the fix involves changing remove_waiter() to use waiter::task instead of current in all related operations.

Therefore, the immediate step to mitigate this vulnerability is to apply the latest Linux kernel update that includes this fix.

Hi! I’m here to help you understand CVE-2026-43499. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70