## https://sploitus.com/exploit?id=ECD48805-B674-5D15-9640-7AE6AB574266
# CVE-2026-43499 โ Linux Kernel Futex PI Use-After-Free
## Bug
`remove_waiter()` in `kernel/locking/rtmutex.c` is used by the slowlock paths but also for proxy-lock rollback in `rt_mutex_start_proxy_lock()` when invoked from `futex_requeue()`.
In the proxy-lock case `waiter::task` is not `current`, but `remove_waiter()` incorrectly operates on `current`. This causes three problems:
1. The rbtree dequeue happens without `waiter::task::pi_lock` being held.
2. The waiter task's `pi_blocked_on` is not cleared, leaving a dangling pointer primed for use-after-free.
3. `rt_mutex_adjust_prio_chain()` operates on the wrong task.
**CWE-416** (Use After Free). CVSS 3.1: **7.8 HIGH** (Local, Low complexity, Low privileges required).
Affected: Linux 2.6.39 through 6.18.x; patched in 6.1.175, 6.6.140, 6.12.86, 6.18.27, 7.0.4.
## Usage
**Prerequisites:** Android NDK 27, CMake โฅ 3.22, `adb`.
```bash
cmake -B build -G Ninja
cmake --build build
adb push build/trigger /data/local/tmp/trigger
adb shell chmod +x /data/local/tmp/trigger
adb shell /data/local/tmp/trigger
```
Expected output on a vulnerable device ends with a kernel panic:
```
Unable to handle kernel write to read-only memory
```
## Credits
**Reported by:**
- Yuan Tan
- Yifan Wu
- Juefei Pu
- Xin Liu
**Fix authored by:** Keenan Dong
**Fix committed by:** Thomas Gleixner
**Commit:** [`3bfdc63`](https://github.com/torvalds/linux/commit/3bfdc63936dd4773109b7b8c280c0f3b5ae7d349) โ rtmutex: Use waiter::task instead of current in remove_waiter()