CVE-2026-43499 – rtmutex: Use waiter::task instead of current in remove_waiter()

CVE ID :CVE-2026-43499

Published : May 21, 2026, 12:17 p.m. | 41 minutes ago

Description :In the Linux kernel, the following vulnerability has been resolved:

rtmutex: Use waiter::task instead of current in remove_waiter()

remove_waiter() is used by the slowlock paths, but it is also used for
proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from
futex_requeue().

In the latter case waiter::task is not current, but remove_waiter()
operates on current for the dequeue operation. That results in several
problems:

1) the rbtree dequeue happens without waiter::task::pi_lock being held

2) the waiter task’s pi_blocked_on state is not cleared, which leaves a
dangling pointer primed for UAF around.

3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter
task

Use waiter::task instead of current in all related operations in
remove_waiter() to cure those problems.

[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the
changelog ]

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-43502 – net/rds: handle zerocopy send cleanup before the message is queued

CVE-2026-43501 – ipv6: rpl: reserve mac_len headroom when recompressed SRH grows

CVE-2026-43498 – accel/ivpu: Disallow re-exporting imported GEM objects

CVE-2026-43494 – net/rds: reset op_nents when zerocopy page pin fails