{ "threat_severity" : "Moderate", "public_date" : "2026-05-06T00:00:00Z", "bugzilla" : { "description" : "kernel: md-cluster: fix NULL pointer dereference in process_metadata_update", "id" : "2467074", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2467074" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "draft" }, "cwe" : "CWE-824", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmd-cluster: fix NULL pointer dereference in process_metadata_update\nThe function process_metadata_update() blindly dereferences the 'thread'\npointer (acquired via rcu_dereference_protected) within the wait_event()\nmacro.\nWhile the code comment states \"daemon thread must exist\", there is a valid\nrace condition window during the MD array startup sequence (md_run):\n1. bitmap_load() is called, which invokes md_cluster_ops->join().\n2. join() starts the \"cluster_recv\" thread (recv_daemon).\n3. At this point, recv_daemon is active and processing messages.\n4. However, mddev->thread (the main MD thread) is not initialized until\nlater in md_run().\nIf a METADATA_UPDATED message is received from a remote node during this\nspecific window, process_metadata_update() will be called while\nmddev->thread is still NULL, leading to a kernel panic.\nTo fix this, we must validate the 'thread' pointer. If it is NULL, we\nrelease the held lock (no_new_dev_lockres) and return early, safely\nignoring the update request as the array is not yet fully ready to\nprocess it.", "A flaw was found in the Linux kernel's md-cluster module. During the startup of a multi-device (MD) array, a race condition can occur where a remote node sends a metadata update message before the system is fully ready to process it. This premature processing leads to a null pointer dereference, causing the kernel to panic. A successful exploit could result in a Denial of Service (DoS) for the affected system." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-43271\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43271\nhttps://lore.kernel.org/linux-cve-announce/2026050610-CVE-2026-43271-0404@gregkh/T" ], "name" : "CVE-2026-43271", "csaw" : false }