{"id":"CVE-2026-43271","summary":"md-cluster: fix NULL pointer dereference in process_metadata_update","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmd-cluster: fix NULL pointer dereference in process_metadata_update\n\nThe function process_metadata_update() blindly dereferences the 'thread'\npointer (acquired via rcu_dereference_protected) within the wait_event()\nmacro.\n\nWhile the code comment states \"daemon thread must exist\", there is a valid\nrace condition window during the MD array startup sequence (md_run):\n\n1. bitmap_load() is called, which invokes md_cluster_ops-\u003ejoin().\n2. join() starts the \"cluster_recv\" thread (recv_daemon).\n3. At this point, recv_daemon is active and processing messages.\n4. However, mddev-\u003ethread (the main MD thread) is not initialized until\n   later in md_run().\n\nIf a METADATA_UPDATED message is received from a remote node during this\nspecific window, process_metadata_update() will be called while\nmddev-\u003ethread is still NULL, leading to a kernel panic.\n\nTo fix this, we must validate the 'thread' pointer. If it is NULL, we\nrelease the held lock (no_new_dev_lockres) and return early, safely\nignoring the update request as the array is not yet fully ready to\nprocess it.","modified":"2026-06-18T03:56:20.629993279Z","published":"2026-05-06T11:28:55.507Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43271.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/721599e837d3f4c0e6cc14da059612c017b6d3ec"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a61c1bc84c4a0f1e7c2fe55b0f43d7d94af4adf1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dceb5a843910004cb118148e267036104fc3ee43"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dec123825c1ed74d98fd5fc7571a851dea4f46ff"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f150e753cb8dd756085f46e86f2c35ce472e0a3c"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43271.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43271"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0ba959774e93911caff596de6391f085fb640ac4"},{"fixed":"a61c1bc84c4a0f1e7c2fe55b0f43d7d94af4adf1"},{"fixed":"dec123825c1ed74d98fd5fc7571a851dea4f46ff"},{"fixed":"721599e837d3f4c0e6cc14da059612c017b6d3ec"},{"fixed":"dceb5a843910004cb118148e267036104fc3ee43"},{"fixed":"f150e753cb8dd756085f46e86f2c35ce472e0a3c"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43271.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.12.0"},{"fixed":"6.6.128"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.75"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.16"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.6"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43271.json"}}],"schema_version":"1.7.5"}