Description
In the Linux kernel, the following vulnerability has been resolved:

dm-verity: correctly handle dm_bufio_client_create() failure

If either of the calls to dm_bufio_client_create() in verity_fec_ctr()
fails, then dm_bufio_client_destroy() is later called with an ERR_PTR()
argument. That causes a crash. Fix this.
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates in the Linux kernel's dm‑verity subsystem, where errors from dm_bufio_client_create() are not correctly handled. If either creation call fails, a subsequent call to dm_bufio_client_destroy() receives an ERR_PTR argument, triggering a crash. This fault leads to a denial of service by bringing the kernel down and disrupting system availability.

Affected Systems

All Linux kernel deployments that use the dm‑verity subsystem before the inclusion of the identified patch commit series. The fix applies to all supported kernel versions that incorporate the dm‑verity code path, as referenced by the provided git commit URLs.

Risk and Exploitability

The CVSS score is 5.5, and the EPSS score is < 1%, indicating a very low probability of exploitation. Based on the description, it is inferred that the defect can be triggered by interacting with the dm‑verity monitoring mechanism, suggesting a local or privileged execution requirement. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation at the time of reporting.

Generated by OpenCVE AI on May 8, 2026 at 22:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the patch commit "dm-verity: correctly handle dm_bufio_client_create() failure".
  • Reboot the system to ensure the updated kernel and dm‑verity subsystem are loaded.
  • Disable dm‑verity for non-essential partitions or configure the system to alert on dm‑verity failures.

Generated by OpenCVE AI on May 8, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Fri, 08 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-235

Fri, 08 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-763
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-235

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: dm-verity: correctly handle dm_bufio_client_create() failure If either of the calls to dm_bufio_client_create() in verity_fec_ctr() fails, then dm_bufio_client_destroy() is later called with an ERR_PTR() argument. That causes a crash. Fix this.
Title dm-verity: correctly handle dm_bufio_client_create() failure
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:18:22.593Z

Reserved: 2026-05-01T14:12:55.988Z

Link: CVE-2026-43132

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:30.357

Modified: 2026-05-08T17:26:57.643

Link: CVE-2026-43132

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43132 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:00:16Z

Weaknesses