Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2026-43278

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
06/05/2026
Last modified:
06/05/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm: clear cloned request bio pointer when last clone bio completes<br /> <br /> Stale rq-&gt;bio values have been observed to cause double-initialization of<br /> cloned bios in request-based device-mapper targets, leading to<br /> use-after-free and double-free scenarios.<br /> <br /> One such case occurs when using dm-multipath on top of a PCIe NVMe<br /> namespace, where cloned request bios are freed during<br /> blk_complete_request(), but rq-&gt;bio is left intact. Subsequent clone<br /> teardown then attempts to free the same bios again via<br /> blk_rq_unprep_clone().<br /> <br /> The resulting double-free path looks like:<br /> <br /> nvme_pci_complete_batch()<br /> nvme_complete_batch()<br /> blk_mq_end_request_batch()<br /> blk_complete_request() // called on a DM clone request<br /> bio_endio() // first free of all clone bios<br /> ...<br /> rq-&gt;end_io() // end_clone_request()<br /> dm_complete_request(tio-&gt;orig)<br /> dm_softirq_done()<br /> dm_done()<br /> dm_end_request()<br /> blk_rq_unprep_clone() // second free of clone bios<br /> <br /> Fix this by clearing the clone request&amp;#39;s bio pointer when the last cloned<br /> bio completes, ensuring that later teardown paths do not attempt to free<br /> already-released bios.

Impact

References to Advisories, Solutions, and Tools