dm: clear cloned request bio pointer when last clone bio...

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

dm: clear cloned request bio pointer when last clone bio completes

Stale rq->bio values have been observed to cause double-initialization of
cloned bios in request-based device-mapper targets, leading to
use-after-free and double-free scenarios.

One such case occurs when using dm-multipath on top of a PCIe NVMe
namespace, where cloned request bios are freed during
blk_complete_request(), but rq->bio is left intact. Subsequent clone
teardown then attempts to free the same bios again via
blk_rq_unprep_clone().

The resulting double-free path looks like:

nvme_pci_complete_batch()
nvme_complete_batch()
blk_mq_end_request_batch()
blk_complete_request() // called on a DM clone request
bio_endio() // first free of all clone bios
...
rq->end_io() // end_clone_request()
dm_complete_request(tio->orig)
dm_softirq_done()
dm_done()
dm_end_request()
blk_rq_unprep_clone() // second free of clone bios

Fix this by clearing the clone request's bio pointer when the last cloned
bio completes, ensuring that later teardown paths do not attempt to free
already-released bios.

Basic Information

ID CVE-2026-43278

Source Linux

Published May 6, 2026 at 11:29

Modified May 8, 2026 at 12:41

Affected Product

Vendor Linux

Product Linux

Version ab3e1d3bbab9e973aeb4dd4603251578658a47ff

Affected Versions Linux Linux ab3e1d3bbab9e973aeb4dd4603251578658a47ff
Linux Linux ab3e1d3bbab9e973aeb4dd4603251578658a47ff
Linux Linux ab3e1d3bbab9e973aeb4dd4603251578658a47ff
Linux Linux ab3e1d3bbab9e973aeb4dd4603251578658a47ff
Linux Linux ab3e1d3bbab9e973aeb4dd4603251578658a47ff
Linux Linux ab3e1d3bbab9e973aeb4dd4603251578658a47ff
Linux Linux 6.1

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: clear cloned request bio pointer when last clone bio completes\n\nStale rq->bio values have been observed to cause double-initialization of\ncloned bios in request-based device-mapper targets, leading to\nuse-after-free and double-free scenarios.\n\nOne such case occurs when using dm-multipath on top of a PCIe NVMe\nnamespace, where cloned request bios are freed during\nblk_complete_request(), but rq->bio is left intact. Subsequent clone\nteardown then attempts to free the same bios again via\nblk_rq_unprep_clone().\n\nThe resulting double-free path looks like:\n\n  nvme_pci_complete_batch()\n    nvme_complete_batch()\n      blk_mq_end_request_batch()\n        blk_complete_request()        // called on a DM clone request\n          bio_endio()                 // first free of all clone bios\n          ...\n        rq->end_io()                  // end_clone_request()\n          dm_complete_request(tio->orig)\n            dm_softirq_done()\n              dm_done()\n                dm_end_request()\n                  blk_rq_unprep_clone()  // second free of clone bios\n\nFix this by clearing the clone request's bio pointer when the last cloned\nbio completes, ensuring that later teardown paths do not attempt to free\nalready-released bios.",
    "published": "2026-05-06T11:29:00.193Z",
    "modified": "2026-05-08T12:41:43.313Z",
    "type": "cve",
    "title": "dm: clear cloned request bio pointer when last clone bio completes",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/8d9ddad561136f7e6a9346767bf97b4d79e38e67\nhttps://git.kernel.org/stable/c/7daf279c674d515fb22a727a7bbc92aeb35c5442\nhttps://git.kernel.org/stable/c/e2e738e8dfbbf83bd2bae0467ec4420cc52da42a\nhttps://git.kernel.org/stable/c/b1c1a2637ebd675aa2d71fee8c70da8791d73850\nhttps://git.kernel.org/stable/c/83d72091804600ead96dc9e9f518ea56cb4942f6\nhttps://git.kernel.org/stable/c/fb8a6c18fb9a6561f7a15b58b272442b77a242dd",
    "id": "CVE-2026-43278",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux ab3e1d3bbab9e973aeb4dd4603251578658a47ff\nLinux Linux ab3e1d3bbab9e973aeb4dd4603251578658a47ff\nLinux Linux ab3e1d3bbab9e973aeb4dd4603251578658a47ff\nLinux Linux ab3e1d3bbab9e973aeb4dd4603251578658a47ff\nLinux Linux ab3e1d3bbab9e973aeb4dd4603251578658a47ff\nLinux Linux ab3e1d3bbab9e973aeb4dd4603251578658a47ff\nLinux Linux 6.1",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "ab3e1d3bbab9e973aeb4dd4603251578658a47ff",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

dm: clear cloned request bio pointer when last clone bio completes_CVE-2026-43278

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply