Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
High

Linux kernel rtmutex remove_waiter() use-after-free risk

IdentifiersCVE-2026-43499CWE-416

CVE-2026-43499 is a Linux kernel rtmutex flaw in remove_waiter(). The bug arises because remove_waiter() used current for waiter dequeue and related operations, even though the function is also invoked during proxy-lock rollback in rt_mutex_start_proxy_lock() from futex_requeue(), where waiter::task is not necessarily current. As a result, the code can perform the rbtree dequeue without holding the correct waiter task's pi_lock, fail to clear the waiter task's pi_blocked_on state, and drive rt_mutex_adjust_prio_chain() using the wrong top-priority waiter task. The stale pi_blocked_on reference leaves a dangling pointer condition that is primed for use-after-free.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful triggering can corrupt rtmutex waiter state and priority-inheritance bookkeeping. The documented consequences include dequeue operations occurring without the proper pi_lock, failure to clear pi_blocked_on on the actual waiter task, creation of a dangling pointer that can lead to use-after-free conditions, and incorrect priority-chain adjustment. Depending on reachability and runtime conditions, this can result in kernel memory-safety issues, instability, crashes, or potentially more serious kernel-level impact.

Mitigation

If you can’t patch tonight, do this now.

Until patched kernels can be deployed, reduce exposure to affected futex/rtmutex paths where possible by limiting untrusted local code execution and restricting access to systems where local users or workloads can exercise futex requeue and priority-inheritance locking behavior. There is no complete mitigation in the provided content short of applying the kernel fix.

Remediation

Patch, then assume compromise.

Apply the upstream/vendor kernel update that fixes remove_waiter() to use waiter::task instead of current in all related operations, including the associated rt_mutex_adjust_prio_chain() fixup. Deploy the maintained Linux kernel release containing the patch from your distribution or kernel vendor.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app
bugzilla suseNews
Jun 26, 2026
1258538 - Enable Rust for Tumbleweed kernel

Referenced as one of many vulnerabilities solved by SUSE security updates; no technical details provided in the content.

Read more
google security research pull requestsNews
Jun 24, 2026
Add kernelCTF CVE-2026-43499_lts_cos by nebusecurity · Pull Request #402 · google/security-research · GitHub

A specific vulnerability identified as CVE-2026-43499 is referenced in the context of initial exploit code and a writeup being created, indicating security research or exploit development activity.

Read more
bugzilla suseNews
Jun 24, 2026
1266001 - (CVE-2026-43499) VUL-0: CVE-2026-43499: kernel: rtmutex: Use waiter::task instead of current in remove_waiter()

A Linux kernel rtmutex flaw in remove_waiter() where current was used instead of waiter::task during dequeue and related operations, causing improper locking, uncleared pi_blocked_on state, dangling pointer/UAF risk, and incorrect priority-chain adjustment.

Read more
suse securityNews
Jun 18, 2026
Security update for the Linux Kernel | SUSE Support | SUSE

Linux kernel rtmutex vulnerability involving incorrect task reference handling in waiter removal.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-43499
NVD
nvd.nist.gov/vuln/detail/CVE-2026-43499
MITRE CWE · CWE-416
cwe.mitre.org
git.kernel.org
git.kernel.org/stable/c/3bfdc63936dd4773109b7b8c280c0f3b5ae7d349
git.kernel.org
git.kernel.org/stable/c/3fb7394a837740770f0d6b4b30567e60786a63f2
git.kernel.org
git.kernel.org/stable/c/6d52dfcb2a5db86e346cf51f8fcf2071b8085166
git.kernel.org
git.kernel.org/stable/c/88614876370aac8ad1050ad785a4c095ba17ac11
git.kernel.org
git.kernel.org/stable/c/8a1fc8d698ac5e5916e3082a0f74450d71f9611f
git.kernel.org
git.kernel.org/stable/c/d8cce4773c2b23d819baf5abedc62f7b430e8745