Description
In the Linux kernel, the following vulnerability has been resolved:

ublk: fix NULL pointer dereference in ublk_ctrl_set_size()

ublk_ctrl_set_size() unconditionally dereferences ub->ub_disk via
set_capacity_and_notify() without checking if it is NULL.

ub->ub_disk is NULL before UBLK_CMD_START_DEV completes (it is only
assigned in ublk_ctrl_start_dev()) and after UBLK_CMD_STOP_DEV runs
(ublk_detach_disk() sets it to NULL). Since the UBLK_CMD_UPDATE_SIZE
handler performs no state validation, a user can trigger a NULL pointer
dereference by sending UPDATE_SIZE to a device that has been added but
not yet started, or one that has been stopped.

Fix this by checking ub->ub_disk under ub->mutex before dereferencing
it, and returning -ENODEV if the disk is not available.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel's ublk subsystem, the function ublk_ctrl_set_size() performs an unconditional dereference of the ub->ub_disk pointer without verifying that the disk object is initialized. Because ub->ub_disk is NULL until the UBLK_CMD_START_DEV command finishes and is reset to NULL after a UBLK_CMD_STOP_DEV operation, an attacker can issue a UBLK_CMD_UPDATE_SIZE command to a device that is either not yet started or has already been stopped. This causes a NULL pointer dereference within the kernel, which typically results in a kernel crash or catastrophic failure. The impact is a denial of service that could terminate the kernel and disrupt all processes on the affected system.

Affected Systems

The vulnerability resides in the generic Linux kernel and affects all releases that include the ublk driver before the patch committed in revision 25966fc097691e5c925ad080f64a2f19c5fd940a. The issue is not tied to a particular vendor distribution, as it applies to all distributions shipping the upstream kernel for which this commit is not present. Users of the ublk device interface should verify whether their kernel version includes the fix; if it does not, the vulnerability is present.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity, reflecting the potential for a kernel crash that disrupts availability. EPSS data is not available. Because the attack requires local control over the ublk control interface, privilege escalation to root is not strictly required; any user with access to the ublk device can trigger the exploit. The vulnerability is not listed in the CISA KEV catalog, and no active exploits are reported, so the likelihood of exploitation in the wild remains uncertain but the potential impact is high if the flaw is leveraged.

Generated by OpenCVE AI on May 9, 2026 at 02:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains commit 25966fc097691e5c925ad080f64a2f19c5fd940a or later, which checks ub->ub_disk before dereferencing it and returns -ENODEV when the disk is not available.
  • If an upgrade cannot be performed immediately, disable or remove all ublk devices from the system, or stop the service that creates/controls ublk devices, until the kernel is patched.
  • Restrict access to the ublk control interface (e.g., kernel module sysfs entries) so that only trusted users can issue UPDATE_SIZE commands, thereby limiting the attack surface.
  • Monitor system logs for kernel oops events or BUG prints that may indicate accidental triggers of the flaw during normal operation.

Generated by OpenCVE AI on May 9, 2026 at 02:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ublk: fix NULL pointer dereference in ublk_ctrl_set_size() ublk_ctrl_set_size() unconditionally dereferences ub->ub_disk via set_capacity_and_notify() without checking if it is NULL. ub->ub_disk is NULL before UBLK_CMD_START_DEV completes (it is only assigned in ublk_ctrl_start_dev()) and after UBLK_CMD_STOP_DEV runs (ublk_detach_disk() sets it to NULL). Since the UBLK_CMD_UPDATE_SIZE handler performs no state validation, a user can trigger a NULL pointer dereference by sending UPDATE_SIZE to a device that has been added but not yet started, or one that has been stopped. Fix this by checking ub->ub_disk under ub->mutex before dereferencing it, and returning -ENODEV if the disk is not available.
Title ublk: fix NULL pointer dereference in ublk_ctrl_set_size()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:21:17.654Z

Reserved: 2026-05-01T14:12:56.005Z

Link: CVE-2026-43364

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:47.383

Modified: 2026-05-08T15:16:47.383

Link: CVE-2026-43364

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43364 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T02:00:19Z

Weaknesses