CVE-2026-43309 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

md raid: fix hang when stopping arrays with metadata through dm-raid

When using device-mapper's dm-raid target, stopping a RAID array can cause
the system to hang under specific conditions.

This occurs when:

- A dm-raid managed device tree is suspended from top to bottom
(the top-level RAID device is suspended first, followed by its
underlying metadata and data devices)

- The top-level RAID device is then removed

Removing the top-level device triggers a hang in the following sequence:
the dm-raid destructor calls md_stop(), which tries to flush the
write-intent bitmap by writing to the metadata sub-devices. However, these
devices are already suspended, making them unable to complete the write-intent
operations and causing an indefinite block.

Fix:

- Prevent bitmap flushing when md_stop() is called from dm-raid
destructor context
and avoid a quiescing/unquescing cycle which could also cause I/O

- Still allow write-intent bitmap flushing when called from dm-raid
suspend context

This ensures that RAID array teardown can complete successfully even when the
underlying devices are in a suspended state.

This second patch uses md_is_rdwr() to distinguish between suspend and
destructor paths as elaborated on above.

Published: 2026-05-08

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Linux kernel’s device‑mapper dm‑raid target. When a dm‑raid array that has metadata devices suspended is removed, the dm‑raid destructor calls md_stop(), which attempts to flush the write‑intent bitmap by writing to the suspended metadata sub‑devices. Because those devices cannot complete I/O while suspended, the flush operation blocks indefinitely, causing the kernel to hang and the system to become unresponsive. The flaw results in a local denial of service that affects overall system availability.

Affected Systems

Any Linux kernel build that includes the device‑mapper dm‑raid target and uses dm‑raid managed arrays with metadata devices is affected. The issue manifests when the array is torn down while its underlying metadata and data devices are in a suspended state. No specific kernel version is enumerated, so all versions that satisfy these conditions should be considered vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score is not provided and the EPSS value is not available, but the vulnerability is not listed in CISA’s KEV catalog. The attack requires understanding of dm‑raid array management and the ability to trigger the teardown sequence, which typically implies root or privileged access to the system. Consequently, the risk is local only and limited to systems that use dm‑raid under conditions that allow the described suspend and removal sequence. Proper kernel updates or configuration changes mitigate the risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 24783dd06de870d646c25207bae186f78195f912
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 338378dfffbdbb8d37a18f0a0c0358812671f91e
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< cefcb9297fbdb6d94b61787b4f8d84f55b741470

Linux

affected

Version	Status	Constraints
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,24783dd06de870d646c25207bae186f78195f912)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,338378dfffbdbb8d37a18f0a0c0358812671f91e)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,cefcb9297fbdb6d94b61787b4f8d84f55b741470)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the patch committing the prevention of bitmap flushing in dm‑raid destructor context (refer to the Git commits linked in the advisory).
If an immediate kernel update is not possible, avoid removing or stopping top‑level dm‑raid devices while their underlying metadata devices are suspended; ensure the metadata devices remain active during array teardown.
Alternatively, configure the system to prevent suspension of the metadata devices while dm‑raid arrays are operational, thereby avoiding the problematic state that triggers the hang.

Generated by OpenCVE AI on May 8, 2026 at 15:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/24783dd06de870d646c25207bae186f78195f912
https://git.kernel.org/stable/c/338378dfffbdbb8d37a18f0a0c0358812671f91e
https://git.kernel.org/stable/c/cefcb9297fbdb6d94b61787b4f8d84f55b741470

History

Fri, 08 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-917

Fri, 08 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: md raid: fix hang when stopping arrays with metadata through dm-raid When using device-mapper's dm-raid target, stopping a RAID array can cause the system to hang under specific conditions. This occurs when: - A dm-raid managed device tree is suspended from top to bottom (the top-level RAID device is suspended first, followed by its underlying metadata and data devices) - The top-level RAID device is then removed Removing the top-level device triggers a hang in the following sequence: the dm-raid destructor calls md_stop(), which tries to flush the write-intent bitmap by writing to the metadata sub-devices. However, these devices are already suspended, making them unable to complete the write-intent operations and causing an indefinite block. Fix: - Prevent bitmap flushing when md_stop() is called from dm-raid destructor context and avoid a quiescing/unquescing cycle which could also cause I/O - Still allow write-intent bitmap flushing when called from dm-raid suspend context This ensures that RAID array teardown can complete successfully even when the underlying devices are in a suspended state. This second patch uses md_is_rdwr() to distinguish between suspend and destructor paths as elaborated on above.
Title		md raid: fix hang when stopping arrays with metadata through dm-raid
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/24783dd06de870d646c25207bae186f78195f912 https://git.kernel.org/stable/c/338378dfffbdbb8d37a18f0a0c0358812671f91e https://git.kernel.org/stable/c/cefcb9297fbdb6d94b61787b4f8d84f55b741470

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T13:11:27.595Z

Updated: 2026-05-08T13:11:27.595Z

Reserved: 2026-05-01T14:12:56.000Z

Link: CVE-2026-43309

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T14:16:38.250

Modified: 2026-05-08T14:16:38.250

Link: CVE-2026-43309

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T16:15:12Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object