CVE-2025-68368
Description
In the Linux kernel, the following vulnerability has been resolved:
md: init bioset in mddev_init
IO operations may be needed before md_run(), such as updating metadata after writing sysfs. Without bioset, this triggers a NULL pointer dereference as below:
BUG: kernel NULL pointer dereference, address: 0000000000000020 Call Trace: md_update_sb+0x658/0xe00 new_level_store+0xc5/0x120 md_attr_store+0xc9/0x1e0 sysfs_kf_write+0x6f/0xa0 kernfs_fop_write_iter+0x141/0x2a0 vfs_write+0x1fc/0x5a0 ksys_write+0x79/0x180 __x64_sys_write+0x1d/0x30 x64_sys_call+0x2818/0x2880 do_syscall_64+0xa9/0x580 entry_SYSCALL_64_after_hwframe+0x4b/0x53
Reproducer `` mdadm -CR /dev/md0 -l1 -n2 /dev/sd[cd] echo inactive > /sys/block/md0/md/array_state echo 10 > /sys/block/md0/md/new_level ``
mddev_init() can only be called once per mddev, no need to test if bioset has been initialized anymore.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in the Linux kernel's md driver occurs when metadata sysfs operations are performed before the md device's bioset has been initialized, leading to a kernel crash.
Summary
The md driver in the Linux kernel failed to initialize its bioset in mddev_init(), causing a NULL pointer dereference if metadata update operations are triggered before the device has been fully started via md_run(). This affects the md_update_sb() call path when writing to sysfs attributes such as new_level, as shown in the crash trace where the kernel tries to access offset 0x20 of a NULL pointer [1].
Exploitation
An attacker with local access and the ability to write to the sysfs interface for an md device can trigger this vulnerability. The reproducer involves creating a RAID1 array with mdadm, setting the array state to 'inactive', and then writing to the new_level attribute. This sequence causes md_update_sb() to be invoked before the device metadata structures are fully set up, leading to a crash [1]. No special privileges beyond write access to the md sysfs files are required.
Impact
A successful exploit causes a kernel NULL pointer dereference, resulting in a system crash (denial of service). The bug is easily reproducible and can be triggered by any local user capable of manipulating md devices via sysfs. No privilege escalation or data corruption has been reported.
Mitigation
The fix moves the bioset initialization from md_run() into mddev_init(), ensuring the bioset is always available before any metadata operations. The patch also removes an unnecessary check for prior initialization in mddev_init(), as it is called only once per mddev. The fix has been applied to the Linux kernel stable tree [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.