CVE-2026-43309 Overview
CVE-2026-43309 is a Linux kernel vulnerability in the multiple device (md) RAID subsystem when accessed through the device-mapper dm-raid target. Stopping a RAID array under specific suspend conditions causes the system to hang indefinitely. The issue arises during teardown of dm-raid managed device trees, where the destructor attempts to flush the write-intent bitmap to already-suspended metadata devices. The affected code paths exist in Linux kernel versions starting from the 6.0 release series. Exploitation requires local access with privileges sufficient to manage RAID arrays through device-mapper.
Critical Impact
A local privileged user can trigger an indefinite system hang during dm-raid array teardown, resulting in denial of service on storage subsystems managed by md RAID with metadata.
Affected Products
- Linux Kernel 6.0 (including release candidates rc3 through rc7)
- Linux Kernel branches incorporating the affected md_stop() flush logic via dm-raid
- Distributions shipping kernels prior to the commits 24783dd0, 338378df, and cefcb929
Discovery Timeline
- 2026-05-08 - CVE-2026-43309 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43309
Vulnerability Analysis
The vulnerability resides in the interaction between the device-mapper dm-raid target and the md RAID subsystem during array teardown. When a dm-raid managed device tree is suspended from top to bottom, the top-level RAID device is suspended first, followed by its underlying metadata and data devices. Removing the top-level device after this ordering triggers the dm-raid destructor, which calls md_stop(). The md_stop() routine attempts to flush the write-intent bitmap by issuing writes to the metadata sub-devices. Because those sub-devices are already in a suspended state, the writes cannot complete and the destructor blocks indefinitely.
The affected component is the kernel storage stack, and the impact is limited to availability of storage I/O paths managed by md RAID. The vulnerability falls under the kernel vulnerability category and is tracked under [NVD-CWE-noinfo].
Root Cause
The root cause is the unconditional write-intent bitmap flush in md_stop() when invoked from the dm-raid destructor path. The flush logic did not distinguish between a suspend context, where the underlying devices remain writable, and a destructor context, where the metadata devices have already been suspended. Issuing bitmap writes to suspended block devices results in I/O submissions that never complete.
Attack Vector
The attack vector is local and requires the ability to configure and manipulate device-mapper RAID targets. A local user with privileges to suspend dm-raid device trees and remove the top-level RAID device can deterministically trigger the hang. The vulnerability does not provide code execution, information disclosure, or integrity impact. The impact is confined to availability through indefinite blocking of kernel threads involved in the teardown.
No public proof-of-concept exploit is referenced in the enriched data, and the EPSS data indicates a low predicted exploitation likelihood. The vulnerability has not been observed in active exploitation campaigns. Triggering the condition requires specific dm-raid suspend ordering, which is not a typical accidental user action.
Detection Methods for CVE-2026-43309
Indicators of Compromise
- Kernel threads associated with dm-raid teardown appearing in uninterruptible sleep (D state) for extended periods
- hung_task warnings in dmesg referencing md_stop, bitmap write paths, or dm-raid destructor functions
- Stalled dmsetup remove operations targeting RAID-backed mappings while underlying devices remain suspended
Detection Strategies
- Monitor kernel logs for hung task timeouts originating from md or dm-raid call stacks after RAID array operations
- Audit storage management activity that suspends dm-raid device trees followed by top-level device removal
- Track running kernel versions across the fleet and correlate against the patched commits 24783dd0, 338378df, and cefcb929
Monitoring Recommendations
- Enable CONFIG_DETECT_HUNG_TASK and review khungtaskd output for blocked tasks in storage subsystems
- Alert on prolonged dmsetup or LVM RAID operations that fail to return
- Aggregate kernel telemetry into a centralized data store to correlate storage stalls with RAID configuration changes
How to Mitigate CVE-2026-43309
Immediate Actions Required
- Apply the upstream kernel fix or vendor backport that incorporates commits 24783dd0, 338378df, and cefcb929
- Restrict privileges required to invoke dmsetup suspend and dmsetup remove on RAID-backed targets to trusted administrators
- Avoid suspending dm-raid device trees from top to bottom prior to removing the top-level device until the patched kernel is installed
Patch Information
The fix prevents bitmap flushing when md_stop() is invoked from the dm-raid destructor context and avoids a quiesce/unquiesce cycle that could also generate I/O. Write-intent bitmap flushing remains permitted when md_stop() is called from the dm-raid suspend context. The patch uses md_is_rdwr() to distinguish between suspend and destructor paths. Patched commits are available at Kernel Git Commit 24783d, Kernel Git Commit 338378d, and Kernel Git Commit cefcb92.
Workarounds
- Reorder teardown so that underlying metadata and data devices are not suspended before the top-level RAID device is removed
- Limit shell and orchestration access to device-mapper administration utilities on systems that cannot be patched immediately
- Schedule maintenance windows for kernel updates on hosts running md RAID with write-intent bitmaps enabled through dm-raid
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
