CVE-2026-43163
N/A
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/bitmap: fix GPF in write_page caused by resize race
A General Protection Fault occurs in write_page() during array resize: RIP: 0010:write_page+0x22b/0x3c0 [md_mod]
This is a use-after-free race between bitmap_daemon_work() and
__bitmap_resize(). The daemon iterates over bitmap->storage.filemap
without locking, while the resize path frees that storage via
md_bitmap_file_unmap(). quiesce() does not stop the md thread,
allowing concurrent access to freed pages.
Fix by holding mddev->bitmap_info.mutex during the bitmap update.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | d60b479d177a5735b6b4db6ee5280ef6653f50e7 < 140cc839fbeb1ddb33a8da8811b716d88d3905b7 | affected |
| Linux | Linux | d60b479d177a5735b6b4db6ee5280ef6653f50e7 < ebcacc7ca22d5e8a03a970f0621ae1d1356b9ae8 | affected |
| Linux | Linux | d60b479d177a5735b6b4db6ee5280ef6653f50e7 < d3af62411e19752c663fe4f424dbf49d95a4cc7c | affected |
| Linux | Linux | d60b479d177a5735b6b4db6ee5280ef6653f50e7 < d92b8fac294b5f915c50e65ce4ae2262e53614ec | affected |
| Linux | Linux | d60b479d177a5735b6b4db6ee5280ef6653f50e7 < a437e3bf30e32846079e470c1ba5ee790bccdf89 | affected |
| Linux | Linux | d60b479d177a5735b6b4db6ee5280ef6653f50e7 < 9a6f8cd28bb9bb6ed86a6df19331fb08016dee7f | affected |
| Linux | Linux | d60b479d177a5735b6b4db6ee5280ef6653f50e7 < 5f73c8b33df9a605a591eab72d43a969600c1f8c | affected |
| Linux | Linux | d60b479d177a5735b6b4db6ee5280ef6653f50e7 < 46ef85f854dfa9d5226b3c1c46493d79556c9589 | affected |
| Linux | Linux | 3.5 | affected |
| Linux | Linux | 0 < 3.5 | unaffected |
| Linux | Linux | 5.10.252 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.202 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.165 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.128 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.75 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.16 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.6 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/140cc839fbeb1ddb33a8da8811b716d88d3905b7
- https://git.kernel.org/stable/c/ebcacc7ca22d5e8a03a970f0621ae1d1356b9ae8
- https://git.kernel.org/stable/c/d3af62411e19752c663fe4f424dbf49d95a4cc7c
- https://git.kernel.org/stable/c/d92b8fac294b5f915c50e65ce4ae2262e53614ec
- https://git.kernel.org/stable/c/a437e3bf30e32846079e470c1ba5ee790bccdf89
- https://git.kernel.org/stable/c/9a6f8cd28bb9bb6ed86a6df19331fb08016dee7f
- https://git.kernel.org/stable/c/5f73c8b33df9a605a591eab72d43a969600c1f8c
- https://git.kernel.org/stable/c/46ef85f854dfa9d5226b3c1c46493d79556c9589
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.