CVE-2026-43499

HIGH EPSS 2.6%
Published May 21, 20261mo ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published May 21, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: rtmutex: Use waiter::task instead of current in remove_waiter() remove_waiter() is used by the slowlock paths, but it is also used for proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from futex_requeue(). In the latter case waiter::task is not current, but remove_waiter() operates on current for the dequeue operation. That results in several problems: 1) the rbtree dequeue happens without waiter::task::pi_lock being held 2) the waiter task's pi_blocked_on state is not cleared, which leaves a dangling pointer primed for UAF around. 3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter task Use waiter::task instead of current in all related operations in remove_waiter() to cure those problems. [ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the changelog ]

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 6

  • git.kernel.org https://git.kernel.org/stable/c/3bfdc63936dd4773109b7b8c280c0f3b5ae7d349
  • git.kernel.org https://git.kernel.org/stable/c/3fb7394a837740770f0d6b4b30567e60786a63f2
  • git.kernel.org https://git.kernel.org/stable/c/6d52dfcb2a5db86e346cf51f8fcf2071b8085166
  • git.kernel.org https://git.kernel.org/stable/c/88614876370aac8ad1050ad785a4c095ba17ac11
  • git.kernel.org https://git.kernel.org/stable/c/8a1fc8d698ac5e5916e3082a0f74450d71f9611f
  • git.kernel.org https://git.kernel.org/stable/c/d8cce4773c2b23d819baf5abedc62f7b430e8745

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.