7.5
CVE-2026-52946
- EPSS 0.61%
- Veröffentlicht 24.06.2026 16:26:04
- Zuletzt bearbeitet 10.07.2026 19:23:34
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
In the Linux kernel, the following vulnerability has been resolved:
fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
A SOFTIRQ-safe to SOFTIRQ-unsafe lock order deadlock can occur in
send_sigio() and send_sigurg() when a process group receives a signal.
When FASYNC is configured for a process group (PIDTYPE_PGID), both
functions use read_lock(&tasklist_lock) to traverse the task list.
However, they are frequently called from softirq context:
- send_sigio() via input_inject_event -> kill_fasync
- send_sigurg() via tcp_check_urg -> sk_send_sigurg (NET_RX_SOFTIRQ)
The deadlock is caused by the rwlock writer fairness mechanism:
1. CPU 0 (process context) holds read_lock(&tasklist_lock) in do_wait().
2. CPU 1 (process context) attempts write_lock(&tasklist_lock) in
fork() or exit() and spins, which blocks all new readers.
3. CPU 0 is interrupted by a softirq (e.g., TCP URG packet reception).
4. The softirq calls send_sigurg() and attempts to acquire
read_lock(&tasklist_lock), deadlocking because CPU 1 is waiting.
Since PID hashing and do_each_pid_task() traversals are already
RCU-protected, the read_lock on tasklist_lock is no longer strictly
required for safe traversal. Fix this by replacing tasklist_lock with
rcu_read_lock(), aligning the process group signaling path with the
single-PID path. This also mitigates a potential remote denial of
service vector via TCP URG packets.
Lockdep splat:
=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
[...]
Chain exists of:
&dev->event_lock --> &f_owner->lock --> tasklist_lock
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(tasklist_lock);
local_irq_disable();
lock(&dev->event_lock);
lock(&f_owner->lock);
<Interrupt>
lock(&dev->event_lock);
*** DEADLOCK ***Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version <
54626335ea4174ab2d9a183b511d825f6765e47b
Status
affected
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version <
897d6a7247739fb1528f98c575df4f2e5de7f994
Status
affected
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version <
32dbd5ce4be3a3ed7e00f8af18795cc84fc50a33
Status
affected
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version <
b5fa9e32fb6718f70c986ee14dd5d01b4846f331
Status
affected
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version <
1bee417678f1135e35b25a37734db46aa94258d2
Status
affected
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version <
20a93e397abe850c49b6fa0e8cc827b5f634a8f5
Status
affected
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version <
bfcc8e8d8a495bb34cae9e620adfb75fb13a3954
Status
affected
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version <
36c1b57b2ecf3c61ac93f5f07bd29b6f21e226ed
Status
affected
Version
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version <
00633c4683828acd5256fa8d5163f440d74bbe71
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
2.6.12
Status
affected
Version
0
Version <
2.6.12
Status
unaffected
Version <=
5.10.*
Version
5.10.259
Status
unaffected
Version <=
5.15.*
Version
5.15.210
Status
unaffected
Version <=
6.1.*
Version
6.1.176
Status
unaffected
Version <=
6.6.*
Version
6.6.143
Status
unaffected
Version <=
6.12.*
Version
6.12.94
Status
unaffected
Version <=
6.18.*
Version
6.18.36
Status
unaffected
Version <=
7.0.*
Version
7.0.13
Status
unaffected
Version <=
7.1.*
Version
7.1.1
Status
unaffected
Version <=
*
Version
7.2-rc1
Status
unaffected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.61% | 0.448 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
https://git.kernel.org/stable/c/54626335ea4174ab2d9a183b511d825f6765e47b
https://git.kernel.org/stable/c/897d6a7247739fb1528f98c575df4f2e5de7f994
https://git.kernel.org/stable/c/32dbd5ce4be3a3ed7e00f8af18795cc84fc50a33
https://git.kernel.org/stable/c/b5fa9e32fb6718f70c986ee14dd5d01b4846f331
https://git.kernel.org/stable/c/1bee417678f1135e35b25a37734db46aa94258d2
https://git.kernel.org/stable/c/20a93e397abe850c49b6fa0e8cc827b5f634a8f5
https://git.kernel.org/stable/c/bfcc8e8d8a495bb34cae9e620adfb75fb13a3954
https://git.kernel.org/stable/c/36c1b57b2ecf3c61ac93f5f07bd29b6f21e226ed
https://git.kernel.org/stable/c/00633c4683828acd5256fa8d5163f440d74bbe71