[SRU][J][PATCH 0/1] CVE-2026-43499

Cengiz Can cengiz.can at canonical.com
Fri Jul 10 08:58:12 UTC 2026


https://ubuntu.com/security/CVE-2026-43499

[ Impact ]

remove_waiter() in the rtmutex code operates on current for its dequeue
operation, but it is also used for proxy-lock rollback in
rt_mutex_start_proxy_lock() when invoked from futex_requeue(), where
waiter::task is not current. This causes the rbtree dequeue to happen without
holding waiter::task::pi_lock, leaves the waiter task's pi_blocked_on state
uncleared (a dangling pointer primed for use-after-free), and causes
rt_mutex_adjust_prio_chain() to operate on the wrong top priority waiter task.
An attacker could exploit the resulting UAF to corrupt memory and potentially
escalate privileges.

[ Fix ]

jammy: clean cherry-pick
focal: backported with AI-assisted adaptation
bionic: backported with AI-assisted adaptation
xenial: backported with AI-assisted adaptation
trusty: backported with AI-assisted adaptation

[ Test Plan ]

Boot tested.

[ Where Problems Could Occur ]

A regression in this change would affect the rtmutex/futex priority-inheritance
locking subsystem, potentially causing incorrect priority chain adjustments,
lock state corruption, or deadlocks under contended futex_requeue() operations.



More information about the kernel-team mailing list