CVE-2026-43278

medium Red Hat
CVSS v3 Base Score
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.0%
Exploitation probability in 30 days
Top 97% most likely to be exploited
Attack Characteristics
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Confidentiality
None
Integrity
None
Availability
High
Published: May 6, 2026 (65 days ago)
Last Modified: May 6, 2026
Vendor: Red Hat
Source: REDHAT

Description

In the Linux kernel, the following vulnerability has been resolved: dm: clear cloned request bio pointer when last clone bio completes Stale rq->bio values have been observed to cause double-initialization of cloned bios in request-based device-mapper targets, leading to use-after-free and double-free scenarios. One such case occurs when using dm-multipath on top of a PCIe NVMe namespace, where cloned request bios are freed during blk_complete_request(), but rq->bio is left intact. Subsequent clone teardown then attempts to free the same bios again via blk_rq_unprep_clone(). The resulting double-free path looks like: nvme_pci_complete_batch() nvme_complete_batch() blk_mq_end_request_batch() blk_complete_request() // called on a DM clone request bio_endio() // first free of all clone bios ... rq->end_io() // end_clone_request() dm_complete_request(tio->orig) dm_softirq_done() dm_done() dm_end_request() blk_rq_unprep_clone() // second free of clone bios Fix this by clearing the clone request's bio pointer when the last cloned bio completes, ensuring that later teardown paths do not attempt to free already-released bios.

CWE

CWE-825

Affected Products

Red Hat Enterprise Linux 10Red Hat Enterprise Linux 6Red Hat Enterprise Linux 7Red Hat Enterprise Linux 8Red Hat Enterprise Linux 9

References