Skip to main content

Linux CVE-2026-23292

| EUVDEUVD-2026-15221 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-03-25 Linux GHSA-55fh-fmpq-w8h6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 27, 2026 - 19:37 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15221
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:26 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

scsi: target: Fix recursive locking in __configfs_open_file()

In flush_write_buffer, &p->frag_sem is acquired and then the loaded store function is called, which, here, is target_core_item_dbroot_store(). This function called filp_open(), following which these functions were called (in reverse order), according to the call trace:

down_read __configfs_open_file do_dentry_open vfs_open do_open path_openat do_filp_open file_open_name filp_open target_core_item_dbroot_store flush_write_buffer configfs_write_iter

target_core_item_dbroot_store() tries to validate the new file path by trying to open the file path provided to it; however, in this case, the bug report shows:

db_root: not a directory: /sys/kernel/config/target/dbroot

indicating that the same configfs file was tried to be opened, on which it is currently working on. Thus, it is trying to acquire frag_sem semaphore of the same file of which it already holds the semaphore obtained in flush_write_buffer(), leading to acquiring the semaphore in a nested manner and a possibility of recursive locking.

Fix this by modifying target_core_item_dbroot_store() to use kern_path() instead of filp_open() to avoid opening the file using filesystem-specific function __configfs_open_file(), and further modifying it to make this fix compatible.

AnalysisAI

A recursive locking vulnerability exists in the Linux kernel's target core configfs implementation where the target_core_item_dbroot_store() function attempts to open a file using filp_open() while already holding a semaphore (frag_sem) acquired in flush_write_buffer(), creating a deadlock condition when the same configfs file is accessed. This affects all Linux kernel versions with the vulnerable target subsystem code, and while no CVSS score or EPSS data is publicly available, the vulnerability has been resolved across multiple stable kernel branches with patch commits available in the kernel git repository, suggesting active acknowledgment of the issue as a legitimate kernel bug requiring remediation.

Technical ContextAI

The vulnerability resides in the Linux kernel's SCSI target subsystem (linux:linux per CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), specifically in the configfs configuration filesystem interface used for target storage object management. The root cause is a resource management issue stemming from improper semaphore handling during nested filesystem operations. When flush_write_buffer() acquires the frag_sem semaphore on a configfs file and then invokes the target_core_item_dbroot_store() callback function, that callback uses filp_open() to validate file paths. If the user provides the same configfs file path currently being written to, filp_open() triggers __configfs_open_file() which attempts to acquire the same frag_sem semaphore recursively, creating a potential deadlock. The fix replaces filp_open() with kern_path(), which performs path validation at the kernel level without triggering configfs-specific file opening logic and semaphore acquisition, thus avoiding the recursive locking scenario. This is fundamentally a semaphore/locking primitives misuse issue rather than a memory corruption or information disclosure vulnerability, though tags indicate information disclosure concerns.

RemediationAI

Upgrade the Linux kernel to a version incorporating one of the published patch commits (3161ef61f121d4573cad5b57c92188dcd9b284b3 or later stable backports available at https://git.kernel.org/stable/). Most Linux distributions (RHEL, Ubuntu, Debian, SUSE, etc.) will provide kernel security updates through their standard patch channels; administrators should apply available kernel updates for their distribution via their package manager (apt, yum, zypper, etc.). If immediate kernel upgrade is not feasible, restrict access to configfs target configuration interfaces by limiting who can write to /sys/kernel/config/target/ via file permissions and SELinux/AppArmor policies, and avoid writing invalid file paths to the dbroot configuration parameter. For production systems running target storage services, coordinate kernel updates during maintenance windows as reboots are typically required for kernel updates to take effect.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23292 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy