CVE-2026-45888 Linux CVE debrief

Who should care

System administrators running Linux systems with software RAID1 (mdraid) configurations, kernel maintainers, and security teams responsible for Linux infrastructure patching.

Technical summary

The vulnerability is a memory leak in the Linux kernel's RAID1 device mapper (md/raid1). In raid1_run(), the function setup_conf() registers a kernel thread via md_register_thread(). If the subsequent raid1_set_limits() call fails, the error path did not previously unregister the thread, leaking the md_thread structure and thread resource. The fix adds md_unregister_thread() to this error path for proper cleanup.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the fix commits for affected stable kernel branches
• Monitor kernel vendor security advisories for distribution-specific patch availability
• Review systems utilizing md/raid1 for kernel version inventory
• Consider rebooting after kernel update to ensure patched code is active

Evidence notes

The vulnerability description indicates the issue was found using a prototype static analysis tool and code review, with compile testing performed. The fix adds proper cleanup via md_unregister_thread() in the error path when raid1_set_limits() fails after thread registration. Multiple kernel stable branch commits are referenced, indicating backporting to supported kernel versions.

Official resources