Description
In the Linux kernel, the following vulnerability has been resolved:

md raid: fix hang when stopping arrays with metadata through dm-raid

When using device-mapper's dm-raid target, stopping a RAID array can cause
the system to hang under specific conditions.

This occurs when:

- A dm-raid managed device tree is suspended from top to bottom
(the top-level RAID device is suspended first, followed by its
underlying metadata and data devices)

- The top-level RAID device is then removed

Removing the top-level device triggers a hang in the following sequence:
the dm-raid destructor calls md_stop(), which tries to flush the
write-intent bitmap by writing to the metadata sub-devices. However, these
devices are already suspended, making them unable to complete the write-intent
operations and causing an indefinite block.

Fix:

- Prevent bitmap flushing when md_stop() is called from dm-raid
destructor context
and avoid a quiescing/unquescing cycle which could also cause I/O

- Still allow write-intent bitmap flushing when called from dm-raid
suspend context

This ensures that RAID array teardown can complete successfully even when the
underlying devices are in a suspended state.

This second patch uses md_is_rdwr() to distinguish between suspend and
destructor paths as elaborated on above.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel’s device-mapper dm-raid target and is a deadlock (CWE-833). When a dm-raid array that has metadata devices suspended is removed, the dm-raid destructor calls md_stop(), which attempts to flush the write‑intent bitmap by writing to the suspended metadata sub‑devices. Because those devices cannot complete I/O while suspended, the flush operation blocks indefinitely, causing the kernel to hang and the system to become unresponsive. The flaw results in a local denial of service. It is inferred that the attacker must have local privileged access, as the teardown requires stopping or removing dm-raid arrays. The attack vector is not explicitly detailed in the advisory.

Affected Systems

Any Linux kernel build that includes the device-mapper dm-raid target and uses dm-raid managed arrays with metadata devices is affected. The issue manifests when the array is torn down while its underlying metadata and data devices are in a suspended state. No specific kernel version is enumerated, so all versions that satisfy these conditions should be considered vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score is 5.5 and the vulnerability is not listed in the CISA KEV catalog. The EPSS score of < 1% indicates a very low probability that attackers are actively exploiting this flaw, though the described conditions remain theoretically feasible. The attack requires understanding of dm‑raid array management and the ability to trigger the teardown sequence, which typically implies root or privileged access. Consequently, the risk is local only and limited to systems that use dm‑raid under conditions that allow the described suspend and removal sequence. Proper kernel updates or configuration changes mitigate the risk. The exact attack vector is not described, but the need for privileged operations implies local availability.

Generated by OpenCVE AI on May 15, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the patch committing the prevention of bitmap flushing in dm-raid destructor context (refer to the Git commits linked in the advisory).
  • If an immediate kernel update is not possible, avoid removing or stopping top-level dm-raid devices while their underlying metadata devices are suspended; ensure the metadata devices remain active during array teardown.
  • Alternatively, configure the system to prevent suspension of the metadata devices while dm-raid arrays are operational, thereby avoiding the problematic state that triggers the hang.

Generated by OpenCVE AI on May 15, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.0:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.0:rc7:*:*:*:*:*:*

Sat, 09 May 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-917

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-833
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 08 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-917

Fri, 08 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: md raid: fix hang when stopping arrays with metadata through dm-raid When using device-mapper's dm-raid target, stopping a RAID array can cause the system to hang under specific conditions. This occurs when: - A dm-raid managed device tree is suspended from top to bottom (the top-level RAID device is suspended first, followed by its underlying metadata and data devices) - The top-level RAID device is then removed Removing the top-level device triggers a hang in the following sequence: the dm-raid destructor calls md_stop(), which tries to flush the write-intent bitmap by writing to the metadata sub-devices. However, these devices are already suspended, making them unable to complete the write-intent operations and causing an indefinite block. Fix: - Prevent bitmap flushing when md_stop() is called from dm-raid destructor context and avoid a quiescing/unquescing cycle which could also cause I/O - Still allow write-intent bitmap flushing when called from dm-raid suspend context This ensures that RAID array teardown can complete successfully even when the underlying devices are in a suspended state. This second patch uses md_is_rdwr() to distinguish between suspend and destructor paths as elaborated on above.
Title md raid: fix hang when stopping arrays with metadata through dm-raid
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:06:40.288Z

Reserved: 2026-05-01T14:12:56.000Z

Link: CVE-2026-43309

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T14:16:38.250

Modified: 2026-05-15T17:58:45.027

Link: CVE-2026-43309

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43309 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T20:00:07Z

Weaknesses