Linux Kernel Vulnerability in rtmutex Component Affecting Multiple Versions
CVE-2026-43499

7.8HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 21 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-43499?

A vulnerability exists in the Linux kernel's rtmutex component where the remove_waiter() function incorrectly utilizes current instead of waiter::task during a dequeue operation within various mutex handling paths. This mismanagement leads to multiple issues, including potential use-after-free vulnerabilities due to dangling pointers and improper priority management across tasks. The implications of this vulnerability necessitate careful attention to maintain system integrity and security.

Affected Version(s)

Linux 8161239a8bcce9ad6b537c04a1fa3b5c68bae693

Linux 8161239a8bcce9ad6b537c04a1fa3b5c68bae693 < 8a1fc8d698ac5e5916e3082a0f74450d71f9611f

Linux 8161239a8bcce9ad6b537c04a1fa3b5c68bae693 < 6d52dfcb2a5db86e346cf51f8fcf2071b8085166

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-43499
Created by MobiusM

References

https://git.kernel.org/stable/c/d8cce4773c2b23d819baf5abe...

https://git.kernel.org/stable/c/8a1fc8d698ac5e5916e3082a0...

https://git.kernel.org/stable/c/6d52dfcb2a5db86e346cf51f8...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 27, 2026
👾
Exploit known to exist
Jun 27, 2026
Vulnerability published
May 21, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-43499 Data

JSON