CVE-2026-43499
Awaiting Analysis Awaiting Analysis - Queue
Race Condition in Linux Kernel rtmutex Component

Publication date: 2026-05-21

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: rtmutex: Use waiter::task instead of current in remove_waiter() remove_waiter() is used by the slowlock paths, but it is also used for proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from futex_requeue(). In the latter case waiter::task is not current, but remove_waiter() operates on current for the dequeue operation. That results in several problems: 1) the rbtree dequeue happens without waiter::task::pi_lock being held 2) the waiter task's pi_blocked_on state is not cleared, which leaves a dangling pointer primed for UAF around. 3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter task Use waiter::task instead of current in all related operations in remove_waiter() to cure those problems. [ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the changelog ]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-06-01
Generated
2026-06-10
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-09
NVD
CVE-2026-43499
EUVD
EUVD-2026-31277
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's real-time mutex (rtmutex) implementation, specifically in the remove_waiter() function. The function incorrectly uses the current task instead of the waiter::task when removing a waiter from the queue during certain operations like proxy-lock rollback invoked from futex_requeue().

  • The rbtree dequeue operation happens without holding the pi_lock of the waiter task.
  • The pi_blocked_on state of the waiter task is not cleared, leaving a dangling pointer that could lead to use-after-free (UAF) issues.
  • The priority adjustment function rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter task.

The fix involves using waiter::task instead of current in all related operations within remove_waiter() to address these problems.

Impact Analysis

This vulnerability can lead to incorrect handling of real-time mutex waiters in the Linux kernel, potentially causing system instability or unexpected behavior.

Specifically, the dangling pointer from the uncleared pi_blocked_on state could result in use-after-free conditions, which attackers might exploit to cause crashes or escalate privileges.

Additionally, incorrect priority adjustments could affect real-time task scheduling, leading to performance degradation or priority inversion issues.

Mitigation Strategies

The vulnerability is resolved by updating the Linux kernel to a version where the fix is applied. Specifically, the fix involves changing remove_waiter() to use waiter::task instead of current in all related operations.

Therefore, the immediate step to mitigate this vulnerability is to apply the latest Linux kernel update that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43499. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart