CVE-2026-43132 Overview
CVE-2026-43132 is a kernel vulnerability in the Linux device-mapper verity (dm-verity) target. The flaw resides in verity_fec_ctr(), the constructor for the forward error correction (FEC) feature of dm-verity. When either call to dm_bufio_client_create() fails, the function returns an ERR_PTR() value. The cleanup path subsequently passes that ERR_PTR() to dm_bufio_client_destroy(), which dereferences it as a valid pointer and crashes the kernel.
The defect is a kernel-mode null/error pointer dereference triggered during error handling. Successful triggering leads to a kernel oops or panic, producing a denial-of-service condition on the affected system.
Critical Impact
A failed dm_bufio_client_create() call inside verity_fec_ctr() causes the kernel to dereference an ERR_PTR() value during cleanup, resulting in a kernel crash and local denial of service.
Affected Products
- Linux kernel branches containing the dm-verity FEC constructor verity_fec_ctr() prior to the fixing commits
- Stable kernel trees patched via commits 031f2adc, 119f4f04, 451cc650, 5c2217dd, 6283e49a, 9b8dc1d3, b154a868, and d3e1f1ad
- Distributions that ship dm-verity with FEC enabled in their kernel builds
Discovery Timeline
- 2026-05-06 - CVE-2026-43132 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43132
Vulnerability Analysis
The dm-verity target provides transparent integrity checking of block devices and supports an optional FEC layer to recover from corruption. During target construction, verity_fec_ctr() allocates two dm_bufio clients via dm_bufio_client_create() to back metadata and parity I/O. On allocation failure, dm_bufio_client_create() returns an ERR_PTR() rather than NULL.
The original code stored the returned value directly into the FEC context without distinguishing error pointers from valid pointers. When the constructor later failed and invoked the destructor path, dm_bufio_client_destroy() was called on the stored ERR_PTR(). The destroy routine treats its argument as a live struct dm_bufio_client, so dereferencing the encoded error value triggers a kernel fault.
The fix updates the failure handling so that dm_bufio_client_destroy() is only called on pointers that were successfully created. See the upstream commits referenced below for the patch logic.
Root Cause
The root cause is improper error pointer handling in verity_fec_ctr(). The function failed to differentiate between a successfully created bufio client and an ERR_PTR() sentinel before passing the value to a destroy routine. This is a classic Linux kernel IS_ERR() check omission leading to an invalid pointer dereference during cleanup.
Attack Vector
Triggering the bug requires conditions that cause dm_bufio_client_create() to fail during dm-verity FEC target setup. A local user with privileges to create device-mapper targets, or an automated provisioning component that constructs dm-verity FEC devices under memory pressure, can reach the vulnerable path. The result is a kernel crash, not memory corruption suitable for code execution. The bug is reachable only on kernels built with dm-verity FEC support and only along the constructor failure path. See the Kernel Git Commit b154a868 and related stable tree commits for the precise call sequence.
Detection Methods for CVE-2026-43132
Indicators of Compromise
- Kernel oops or panic messages referencing dm_bufio_client_destroy in the call trace
- BUG: unable to handle page fault entries originating from verity_fec_ctr during target activation
- Repeated device-mapper: verity-fec setup failures in dmesg followed by host instability
Detection Strategies
- Inspect kernel logs (journalctl -k, /var/log/kern.log) for crashes whose stack frames include verity_fec_ctr and dm_bufio_client_destroy
- Compare running kernel versions against vendor advisories that reference the upstream stable commits listed in the external references
- Monitor systems that programmatically build dm-verity FEC targets (Android-style verified boot, secure container runtimes) for elevated setup-failure rates
Monitoring Recommendations
- Forward kernel ring-buffer events to a centralized logging or SIEM platform and alert on dm-verity related oops signatures
- Track host availability and unexpected reboots on systems that use dm-verity with FEC, correlating with device-mapper setup activity
- Maintain an inventory of kernel versions across the fleet and flag hosts running unpatched branches identified in the kernel.org stable references
How to Mitigate CVE-2026-43132
Immediate Actions Required
- Update affected hosts to a Linux kernel version that includes one of the upstream fixes referenced in the CVE record
- Restrict the ability to create or reconfigure device-mapper targets to trusted administrators and provisioning services
- Audit automation that constructs dm-verity FEC devices and add resilience around setup failures so a kernel crash cannot silently take a host down
Patch Information
The vulnerability is fixed upstream and backported across stable trees. Apply the patches available at the following kernel.org references: Kernel Git Commit 031f2adc, Kernel Git Commit 119f4f04, Kernel Git Commit 451cc650, Kernel Git Commit 5c2217dd, Kernel Git Commit 6283e49a, Kernel Git Commit 9b8dc1d3, Kernel Git Commit b154a868, and Kernel Git Commit d3e1f1ad. Distributions should rebase to the corresponding stable point release.
Workarounds
- Disable the dm-verity FEC feature on workloads that do not require parity-based recovery, eliminating the vulnerable code path
- Limit unprivileged access to CAP_SYS_ADMIN and the device-mapper control interface so only trusted code can invoke verity_fec_ctr()
- Deploy memory pressure controls on hosts that build dm-verity targets at runtime to reduce the likelihood of dm_bufio_client_create() allocation failures
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
