Description
In the Linux kernel, the following vulnerability has been resolved:

md-cluster: fix NULL pointer dereference in process_metadata_update

The function process_metadata_update() blindly dereferences the 'thread'
pointer (acquired via rcu_dereference_protected) within the wait_event()
macro.

While the code comment states "daemon thread must exist", there is a valid
race condition window during the MD array startup sequence (md_run):

1. bitmap_load() is called, which invokes md_cluster_ops->join().
2. join() starts the "cluster_recv" thread (recv_daemon).
3. At this point, recv_daemon is active and processing messages.
4. However, mddev->thread (the main MD thread) is not initialized until
later in md_run().

If a METADATA_UPDATED message is received from a remote node during this
specific window, process_metadata_update() will be called while
mddev->thread is still NULL, leading to a kernel panic.

To fix this, we must validate the 'thread' pointer. If it is NULL, we
release the held lock (no_new_dev_lockres) and return early, safely
ignoring the update request as the array is not yet fully ready to
process it.
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Linux kernel’s md-cluster subsystem causes a NULL pointer dereference when processing a METADATA_UPDATED message during a race condition in the array startup sequence. The dereference occurs in process_metadata_update() while the MD device’s main thread is still uninitialized, leading to a kernel panic and a system crash. This flaw does not provide privilege escalation or data exposure; its primary effect is instability and denial of service.

Affected Systems

The flaw resides in the Linux kernel; all kernels that include the md-cluster implementation before the patch are affected. Specific affected versions are not listed, so any kernel revision that has not incorporated the commit that validates the thread pointer should be considered vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity for this Linux kernel bug, yet the vulnerability carries a high impact because a kernel panic can occur. Exploitability requires an attacker to deliver a METADATA_UPDATED message during a narrow race window, which may limit practical attacks. EPSS score of <1% indicates a very low likelihood of exploitation, and the vulnerability is not listed in CISA KEV. Nevertheless, the potential for denial of service warrants prompt attention.

Generated by OpenCVE AI on May 8, 2026 at 21:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the md-cluster NULL pointer dereference fix, such as the commit that validates the thread pointer in process_metadata_update().
  • If an immediate kernel upgrade is not possible, limit exposure by ensuring that MD cluster messages are only processed after the MD device thread is fully initialized; this may involve tuning cluster startup scripts or reordering initialization steps to avoid the race window.
  • As a temporary measure, use firewall or network segmentation to restrict incoming METADATA_UPDATED control traffic to trusted nodes, thereby reducing the chance that a malicious or misconfigured node can trigger the fault.

Generated by OpenCVE AI on May 8, 2026 at 21:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 07 May 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-476

Thu, 07 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-476

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: md-cluster: fix NULL pointer dereference in process_metadata_update The function process_metadata_update() blindly dereferences the 'thread' pointer (acquired via rcu_dereference_protected) within the wait_event() macro. While the code comment states "daemon thread must exist", there is a valid race condition window during the MD array startup sequence (md_run): 1. bitmap_load() is called, which invokes md_cluster_ops->join(). 2. join() starts the "cluster_recv" thread (recv_daemon). 3. At this point, recv_daemon is active and processing messages. 4. However, mddev->thread (the main MD thread) is not initialized until later in md_run(). If a METADATA_UPDATED message is received from a remote node during this specific window, process_metadata_update() will be called while mddev->thread is still NULL, leading to a kernel panic. To fix this, we must validate the 'thread' pointer. If it is NULL, we release the held lock (no_new_dev_lockres) and return early, safely ignoring the update request as the array is not yet fully ready to process it.
Title md-cluster: fix NULL pointer dereference in process_metadata_update
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:21:19.841Z

Reserved: 2026-05-01T14:12:55.998Z

Link: CVE-2026-43271

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:48.313

Modified: 2026-05-08T20:00:00.693

Link: CVE-2026-43271

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43271 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:45:19Z

Weaknesses