Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-06T00:00:00 kernel: dm: clear cloned request bio pointer when last clone bio completes 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CWE-825

In the Linux kernel, the following vulnerability has been resolved: dm: clear cloned request bio pointer when last clone bio completes Stale rq->bio values have been observed to cause double-initialization of cloned bios in request-based device-mapper targets, leading to use-after-free and double-free scenarios. One such case occurs when using dm-multipath on top of a PCIe NVMe namespace, where cloned request bios are freed during blk_complete_request(), but rq->bio is left intact. Subsequent clone teardown then attempts to free the same bios again via blk_rq_unprep_clone(). The resulting double-free path looks like: nvme_pci_complete_batch() nvme_complete_batch() blk_mq_end_request_batch() blk_complete_request() // called on a DM clone request bio_endio() // first free of all clone bios ... rq->end_io() // end_clone_request() dm_complete_request(tio->orig) dm_softirq_done() dm_done() dm_end_request() blk_rq_unprep_clone() // second free of clone bios Fix this by clearing the clone request's bio pointer when the last cloned bio completes, ensuring that later teardown paths do not attempt to free already-released bios.

A flaw was found in the Linux kernel's device-mapper (dm) component, specifically affecting request-based device-mapper targets like dm-multipath. Stale bio pointers in cloned requests can lead to double-initialization and subsequent double-free scenarios of cloned bios. This memory corruption vulnerability could potentially allow a local attacker to cause a denial of service or escalate privileges.

Red Hat acknowledges the upstream Linux kernel correction for «dm» as described in COMMENT_ZERO. Fixes are delivered through standard kernel errata for supported products. Operational exposure depends on whether this subsystem or driver is active in your configuration. To mitigate this issue, prevent the dm_mod module from being loaded. See https://access.redhat.com/solutions/41278 for instructions. Red Hat Enterprise Linux 10 Fix deferred kernel Red Hat Enterprise Linux 6 Not affected kernel Red Hat Enterprise Linux 7 Fix deferred kernel Red Hat Enterprise Linux 7 Fix deferred kernel-rt Red Hat Enterprise Linux 8 Fix deferred kernel Red Hat Enterprise Linux 8 Fix deferred kernel-rt Red Hat Enterprise Linux 9 Fix deferred kernel Red Hat Enterprise Linux 9 Fix deferred kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-43278 https://nvd.nist.gov/vuln/detail/CVE-2026-43278 https://lore.kernel.org/linux-cve-announce/2026050613-CVE-2026-43278-95fa@gregkh/T