CVE-2026-43163 - Vulnerability Details

- md/bitmap: fix GPF in write_page caused by resize race

Description

In the Linux kernel, the following vulnerability has been resolved:

md/bitmap: fix GPF in write_page caused by resize race

A General Protection Fault occurs in write_page() during array resize:
RIP: 0010:write_page+0x22b/0x3c0 [md_mod]

This is a use-after-free race between bitmap_daemon_work() and
__bitmap_resize(). The daemon iterates over `bitmap->storage.filemap`
without locking, while the resize path frees that storage via
md_bitmap_file_unmap(). `quiesce()` does not stop the md thread,
allowing concurrent access to freed pages.

Fix by holding `mddev->bitmap_info.mutex` during the bitmap update.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel md bitmap module contains a race condition between bitmap_daemon_work() and __bitmap_resize() that can trigger a general protection fault during write_page() when the bitmap storage is resized concurrently with the daemon iterating over the same memory. The missing mutex protection leads to a use‑after‑free, which results in an unhandled kernel crash and a system reboot. The flaw falls under CWE-416 and CWE-362.

Affected Systems

All Linux kernel releases that include the md bitmap module without the introduced mutex lock are affected. The data does not specify an exact version range; therefore any kernel that has not applied the patch that adds the mutex protection around the bitmap update is vulnerable. The modified code is part of the mainline kernel and will be present in all distributions that ship the corresponding kernel version.

Risk and Exploitability

The official score database does not provide a CVSS score and the EPSS score is reported as not available, so a numeric assessment of likelihood cannot be derived. Based on the description, it is inferred that the flaw can be triggered by a local user with sufficient privileges to manipulate block devices, such as an individual with root access or a process operating within a virtual machine that controls the block layer. The crash only occurs while the kernel is running, resulting in a local denial of service. The vulnerability is not currently listed in CISA’s KEV, but the presence of a kernel crash and lack of a hardening path suggest the risk is significant for impacted systems.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`d60b479d177a5735b6b4db6ee5280ef6653f50e7`	affected	< 140cc839fbeb1ddb33a8da8811b716d88d3905b7
`d60b479d177a5735b6b4db6ee5280ef6653f50e7`	affected	< ebcacc7ca22d5e8a03a970f0621ae1d1356b9ae8
`d60b479d177a5735b6b4db6ee5280ef6653f50e7`	affected	< d3af62411e19752c663fe4f424dbf49d95a4cc7c
`d60b479d177a5735b6b4db6ee5280ef6653f50e7`	affected	< d92b8fac294b5f915c50e65ce4ae2262e53614ec
`d60b479d177a5735b6b4db6ee5280ef6653f50e7`	affected	< a437e3bf30e32846079e470c1ba5ee790bccdf89
`d60b479d177a5735b6b4db6ee5280ef6653f50e7`	affected	< 9a6f8cd28bb9bb6ed86a6df19331fb08016dee7f
`d60b479d177a5735b6b4db6ee5280ef6653f50e7`	affected	< 5f73c8b33df9a605a591eab72d43a969600c1f8c
`d60b479d177a5735b6b4db6ee5280ef6653f50e7`	affected	< 46ef85f854dfa9d5226b3c1c46493d79556c9589

Linux

affected

Version	Status	Constraints
`3.5`	affected	—
`0`	unaffected	< 3.5
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the system to a kernel version that includes the patch adding the mutex protection in the md bitmap module.
Reboot the system to load the updated kernel.
If a kernel upgrade cannot be performed immediately, disable the bitmap resizing process by preventing the md bitmap module from operating on vulnerable block devices or by stopping the bitmap daemon service.
As a temporary compromise, ensure that no untrusted user space processes invoke bitmap resizing operations on affected devices.

Generated by OpenCVE AI on May 6, 2026 at 14:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/140cc839fbeb1ddb33a8da8811b716d88d3905b7
https://git.kernel.org/stable/c/46ef85f854dfa9d5226b3c1c46493d79556c9589
https://git.kernel.org/stable/c/5f73c8b33df9a605a591eab72d43a969600c1f8c
https://git.kernel.org/stable/c/9a6f8cd28bb9bb6ed86a6df19331fb08016dee7f
https://git.kernel.org/stable/c/a437e3bf30e32846079e470c1ba5ee790bccdf89
https://git.kernel.org/stable/c/d3af62411e19752c663fe4f424dbf49d95a4cc7c
https://git.kernel.org/stable/c/d92b8fac294b5f915c50e65ce4ae2262e53614ec
https://git.kernel.org/stable/c/ebcacc7ca22d5e8a03a970f0621ae1d1356b9ae8

History

Wed, 06 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-416

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: md/bitmap: fix GPF in write_page caused by resize race A General Protection Fault occurs in write_page() during array resize: RIP: 0010:write_page+0x22b/0x3c0 [md_mod] This is a use-after-free race between bitmap_daemon_work() and __bitmap_resize(). The daemon iterates over `bitmap->storage.filemap` without locking, while the resize path frees that storage via md_bitmap_file_unmap(). `quiesce()` does not stop the md thread, allowing concurrent access to freed pages. Fix by holding `mddev->bitmap_info.mutex` during the bitmap update.
Title		md/bitmap: fix GPF in write_page caused by resize race
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/140cc839fbeb1ddb33a8da8811b716d88d3905b7 https://git.kernel.org/stable/c/46ef85f854dfa9d5226b3c1c46493d79556c9589 https://git.kernel.org/stable/c/5f73c8b33df9a605a591eab72d43a969600c1f8c https://git.kernel.org/stable/c/9a6f8cd28bb9bb6ed86a6df19331fb08016dee7f https://git.kernel.org/stable/c/a437e3bf30e32846079e470c1ba5ee790bccdf89 https://git.kernel.org/stable/c/d3af62411e19752c663fe4f424dbf49d95a4cc7c https://git.kernel.org/stable/c/d92b8fac294b5f915c50e65ce4ae2262e53614ec https://git.kernel.org/stable/c/ebcacc7ca22d5e8a03a970f0621ae1d1356b9ae8

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:41.265Z

Updated: 2026-05-06T11:27:41.265Z

Reserved: 2026-05-01T14:12:55.990Z

Link: CVE-2026-43163

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:34.410

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43163

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T14:30:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object