ACK: [SRU][J][PATCH 0/1] CVE-2026-43499
Manuel Diewald
manuel.diewald at canonical.com
Thu Jul 16 15:22:58 UTC 2026
On Fri, Jul 10, 2026 at 11:58:12AM +0300, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-43499
>
> [ Impact ]
>
> remove_waiter() in the rtmutex code operates on current for its dequeue
> operation, but it is also used for proxy-lock rollback in
> rt_mutex_start_proxy_lock() when invoked from futex_requeue(), where
> waiter::task is not current. This causes the rbtree dequeue to happen without
> holding waiter::task::pi_lock, leaves the waiter task's pi_blocked_on state
> uncleared (a dangling pointer primed for use-after-free), and causes
> rt_mutex_adjust_prio_chain() to operate on the wrong top priority waiter task.
> An attacker could exploit the resulting UAF to corrupt memory and potentially
> escalate privileges.
>
> [ Fix ]
>
> jammy: clean cherry-pick
> focal: backported with AI-assisted adaptation
> bionic: backported with AI-assisted adaptation
> xenial: backported with AI-assisted adaptation
> trusty: backported with AI-assisted adaptation
>
> [ Test Plan ]
>
> Boot tested.
>
> [ Where Problems Could Occur ]
>
> A regression in this change would affect the rtmutex/futex priority-inheritance
> locking subsystem, potentially causing incorrect priority chain adjustments,
> lock state corruption, or deadlocks under contended futex_requeue() operations.
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Acked-by: Manuel Diewald <manuel.diewald at canonical.com>
--
Manuel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260716/8cc3a047/attachment.sig>
More information about the kernel-team
mailing list