{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43163", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-01T14:12:55.990Z", "datePublished": "2026-05-06T11:27:41.265Z", "dateUpdated": "2026-05-06T11:27:41.265Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-06T11:27:41.265Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/bitmap: fix GPF in write_page caused by resize race\n\nA General Protection Fault occurs in write_page() during array resize:\nRIP: 0010:write_page+0x22b/0x3c0 [md_mod]\n\nThis is a use-after-free race between bitmap_daemon_work() and\n__bitmap_resize(). The daemon iterates over `bitmap->storage.filemap`\nwithout locking, while the resize path frees that storage via\nmd_bitmap_file_unmap(). `quiesce()` does not stop the md thread,\nallowing concurrent access to freed pages.\n\nFix by holding `mddev->bitmap_info.mutex` during the bitmap update."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/md/md-bitmap.c"], "versions": [{"version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7", "lessThan": "140cc839fbeb1ddb33a8da8811b716d88d3905b7", "status": "affected", "versionType": "git"}, {"version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7", "lessThan": "ebcacc7ca22d5e8a03a970f0621ae1d1356b9ae8", "status": "affected", "versionType": "git"}, {"version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7", "lessThan": "d3af62411e19752c663fe4f424dbf49d95a4cc7c", "status": "affected", "versionType": "git"}, {"version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7", "lessThan": "d92b8fac294b5f915c50e65ce4ae2262e53614ec", "status": "affected", "versionType": "git"}, {"version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7", "lessThan": "a437e3bf30e32846079e470c1ba5ee790bccdf89", "status": "affected", "versionType": "git"}, {"version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7", "lessThan": "9a6f8cd28bb9bb6ed86a6df19331fb08016dee7f", "status": "affected", "versionType": "git"}, {"version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7", "lessThan": "5f73c8b33df9a605a591eab72d43a969600c1f8c", "status": "affected", "versionType": "git"}, {"version": "d60b479d177a5735b6b4db6ee5280ef6653f50e7", "lessThan": "46ef85f854dfa9d5226b3c1c46493d79556c9589", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/md/md-bitmap.c"], "versions": [{"version": "3.5", "status": "affected"}, {"version": "0", "lessThan": "3.5", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.252", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.202", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.165", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.128", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.75", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.16", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.6", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "5.10.252"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "5.15.202"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "6.1.165"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "6.6.128"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "6.12.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "6.18.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "6.19.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/140cc839fbeb1ddb33a8da8811b716d88d3905b7"}, {"url": "https://git.kernel.org/stable/c/ebcacc7ca22d5e8a03a970f0621ae1d1356b9ae8"}, {"url": "https://git.kernel.org/stable/c/d3af62411e19752c663fe4f424dbf49d95a4cc7c"}, {"url": "https://git.kernel.org/stable/c/d92b8fac294b5f915c50e65ce4ae2262e53614ec"}, {"url": "https://git.kernel.org/stable/c/a437e3bf30e32846079e470c1ba5ee790bccdf89"}, {"url": "https://git.kernel.org/stable/c/9a6f8cd28bb9bb6ed86a6df19331fb08016dee7f"}, {"url": "https://git.kernel.org/stable/c/5f73c8b33df9a605a591eab72d43a969600c1f8c"}, {"url": "https://git.kernel.org/stable/c/46ef85f854dfa9d5226b3c1c46493d79556c9589"}], "title": "md/bitmap: fix GPF in write_page caused by resize race", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/bitmap: fix GPF in write_page caused by resize race\n\nA General Protection Fault occurs in write_page() during array resize:\nRIP: 0010:write_page+0x22b/0x3c0 [md_mod]\n\nThis is a use-after-free race between bitmap_daemon_work() and\n__bitmap_resize(). The daemon iterates over `bitmap->storage.filemap`\nwithout locking, while the resize path frees that storage via\nmd_bitmap_file_unmap(). `quiesce()` does not stop the md thread,\nallowing concurrent access to freed pages.\n\nFix by holding `mddev->bitmap_info.mutex` during the bitmap update."}], "id": "CVE-2026-43163", "lastModified": "2026-05-06T13:07:51.607", "metrics": {}, "published": "2026-05-06T12:16:34.410", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/140cc839fbeb1ddb33a8da8811b716d88d3905b7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/46ef85f854dfa9d5226b3c1c46493d79556c9589"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5f73c8b33df9a605a591eab72d43a969600c1f8c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9a6f8cd28bb9bb6ed86a6df19331fb08016dee7f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a437e3bf30e32846079e470c1ba5ee790bccdf89"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d3af62411e19752c663fe4f424dbf49d95a4cc7c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d92b8fac294b5f915c50e65ce4ae2262e53614ec"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ebcacc7ca22d5e8a03a970f0621ae1d1356b9ae8"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{"created": "2026-05-06T14:30:05.888740+00:00", "updated": "2026-05-06T14:30:05.888750+00:00", "vendors": [], "weaknesses": ["CWE-416", "CWE-362"]}