CVE-2026-43192

Vulnerability

Details

CVE-2026-43192 is a memory reference leak in the Linux kernel's device mapper multipath (dm-mpath) subsystem. When commit fd81bc5cca8f introduced error handling for scsi_dh_attached_handler_name() failure (e.g., -ENOMEM), the code failed to release the reference to the path device obtained earlier via dm_get_device. This oversight means that on certain error conditions during path parsing in parse_path(), the device reference count is not decremented, leading to a resource leak.

Exploitation

An attacker would need local access to the system to trigger the vulnerable code path. The issue occurs when the system attempts to parse a multipath device and the SCSI device handler name allocation fails due to memory pressure. No special privileges beyond the ability to cause device mapper events are required, but the attacker must be able to influence memory allocation failures or device handler attachment. The vulnerability is primarily a bug in error handling, making exploitation for denial-of-service or resource exhaustion plausible.

Impact

If triggered repeatedly, the leak can exhaust kernel memory or prevent device removal, leading to system instability. The CVSS v3 score of 5.5 (Medium) reflects the localized nature of the vulnerability and the requirement for local access. There is no evidence of remote exploitation or privilege escalation.

Mitigation

The fix was included in upstream Linux kernel stable trees via commits [1] and [2]. Administrators should apply the latest stable kernel updates to ensure the fix is deployed. No workarounds are documented; relying on patched kernels is the recommended action.