PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43499 Linux CVE debrief

CVE-2026-43499 is a Linux kernel synchronization bug in rtmutex handling. The supplied CVE text says remove_waiter() can be reached not only from slowlock paths, but also during proxy-lock rollback from rt_mutex_start_proxy_lock() when invoked by futex_requeue(). In that rollback case, waiter::task is not current, so using current for dequeue-related operations can leave the waiter task’s pi_blocked_on state uncleared, operate without the correct pi_lock held, and feed the wrong task into rt_mutex_adjust_prio_chain(). The fix is to use waiter::task consistently in remove_waiter().

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-21
Original CVE updated
2026-05-21
Advisory published
2026-05-21
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distro and appliance vendors shipping kernel updates, and operators who rely on futex-heavy or real-time scheduling workloads should pay attention. Security teams responsible for backporting kernel fixes should treat this as a synchronization correctness issue with potential memory-safety consequences.

Technical summary

According to the CVE description, remove_waiter() is used in both slowlock paths and proxy-lock rollback during rt_mutex_start_proxy_lock(). In the rollback case, the waiter being removed is not necessarily the current task. The vulnerable behavior is using current instead of waiter::task for related operations in remove_waiter(), which can: (1) perform the rbtree dequeue without holding waiter::task::pi_lock, (2) fail to clear the waiter task’s pi_blocked_on field, leaving a dangling pointer and possible UAF risk, and (3) cause rt_mutex_adjust_prio_chain() to operate on the wrong top-priority waiter task. The resolved change replaces current with waiter::task in the affected paths.

Defensive priority

High for kernel patching and backporting. This is core locking code in the Linux kernel, and the supplied description explicitly ties it to stale state and dangling-pointer risk. Prioritize any supported kernel branch that includes futex/rtmutex code paths.

Recommended defensive actions

  • Apply the upstream/stable Linux kernel fixes referenced in the record to all supported branches.
  • Backport the change carefully to vendor kernels and long-term support builds that include rtmutex and futex_requeue paths.
  • Validate that remove_waiter() and related priority-inheritance code now operate on waiter::task rather than current in the rollback path.
  • Run regression testing focused on futex, priority inheritance, and real-time mutex workloads after patching.
  • Watch for kernel warnings, oopses, or crashes in code paths involving rt_mutex_start_proxy_lock(), futex_requeue(), pi_blocked_on, and rt_mutex_adjust_prio_chain().

Evidence notes

The supplied CVE text explicitly states that remove_waiter() is used for proxy-lock rollback from rt_mutex_start_proxy_lock() when invoked by futex_requeue(), and that using current there causes three specific problems: missing pi_lock coverage, uncleared pi_blocked_on state, and incorrect rt_mutex_adjust_prio_chain() behavior. The record’s publishedAt/modifiedAt timestamps are 2026-05-21T13:16:19.300Z, NVD vulnStatus is "Received", and the NVD metadata includes five kernel.org stable commit references.

Official resources

Published by the source record on 2026-05-21T13:16:19.300Z. No KEV entry is present in the supplied timeline, and the CVE record in the provided corpus does not include a CVSS score.