Description
In the Linux kernel, the following vulnerability has been resolved:

dm: clear cloned request bio pointer when last clone bio completes

Stale rq->bio values have been observed to cause double-initialization of
cloned bios in request-based device-mapper targets, leading to
use-after-free and double-free scenarios.

One such case occurs when using dm-multipath on top of a PCIe NVMe
namespace, where cloned request bios are freed during
blk_complete_request(), but rq->bio is left intact. Subsequent clone
teardown then attempts to free the same bios again via
blk_rq_unprep_clone().

The resulting double-free path looks like:

nvme_pci_complete_batch()
nvme_complete_batch()
blk_mq_end_request_batch()
blk_complete_request() // called on a DM clone request
bio_endio() // first free of all clone bios
...
rq->end_io() // end_clone_request()
dm_complete_request(tio->orig)
dm_softirq_done()
dm_done()
dm_end_request()
blk_rq_unprep_clone() // second free of clone bios

Fix this by clearing the clone request's bio pointer when the last cloned
bio completes, ensuring that later teardown paths do not attempt to free
already-released bios.
Published: 2026-05-06
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stale request bio pointer in the Linux kernel’s device‑mapper path can cause a double‑free followed by a use‑after‑free when cloned bios are released. Based on the description, it is inferred that the likely attack vector requires local privileged access to trigger the vulnerable I/O path, for example by initiating high‑frequency device requests through dm‑multipath. The resulting kernel memory corruption could allow an attacker to execute arbitrary code with kernel privileges or to crash the system. The vulnerability involves improper use-after-free leading to potential double‑free issues (CWE‑415).

Affected Systems

The flaw affects the Linux kernel through its device‑mapper module, particularly when dm‑multipath is layered over PCIe NVMe namespaces. Any kernel containing unpatched device‑mapper code is potentially vulnerable; no specific kernel version is identified in the CVE data.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, but the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation would likely require local or privileged access to trigger the vulnerable I/O path, such as initiating high‑frequency device requests through dm‑multipath. Successful exploitation could result in kernel memory corruption, potential code execution, or a denial of service.

Generated by OpenCVE AI on May 8, 2026 at 20:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade your Linux kernel to a version that includes the patch clearing the cloned request’s bio pointer, such as kernels rebuilt after the commit documented in the advisory.
  • If an immediate kernel upgrade is not feasible, disable the dm‑multipath target or prevent NVMe devices from being used via device‑mapper until the fix is applied.
  • Continuously monitor kernel logs (e.g., dmesg, /var/log/kern.log) for signs of double‑free errors or crashes, and restrict privileged users from performing excessive I/O operations that could trigger the vulnerable path.

Generated by OpenCVE AI on May 8, 2026 at 20:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
References

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 07 May 2026 18:30:00 +0000

Type Values Removed Values Added
References

Thu, 07 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CWE-416

Thu, 07 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CWE-416

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: dm: clear cloned request bio pointer when last clone bio completes Stale rq->bio values have been observed to cause double-initialization of cloned bios in request-based device-mapper targets, leading to use-after-free and double-free scenarios. One such case occurs when using dm-multipath on top of a PCIe NVMe namespace, where cloned request bios are freed during blk_complete_request(), but rq->bio is left intact. Subsequent clone teardown then attempts to free the same bios again via blk_rq_unprep_clone(). The resulting double-free path looks like: nvme_pci_complete_batch() nvme_complete_batch() blk_mq_end_request_batch() blk_complete_request() // called on a DM clone request bio_endio() // first free of all clone bios ... rq->end_io() // end_clone_request() dm_complete_request(tio->orig) dm_softirq_done() dm_done() dm_end_request() blk_rq_unprep_clone() // second free of clone bios Fix this by clearing the clone request's bio pointer when the last cloned bio completes, ensuring that later teardown paths do not attempt to free already-released bios.
Title dm: clear cloned request bio pointer when last clone bio completes
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:21:28.049Z

Reserved: 2026-05-01T14:12:55.998Z

Link: CVE-2026-43278

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:49.213

Modified: 2026-05-08T19:38:24.763

Link: CVE-2026-43278

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43278 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:00:10Z

Weaknesses